Website Security Checklist
15 practical things every website owner should audit. Run through this list quarterly.
HTTPS and SSL
- Valid SSL certificate installed and not expired
- HTTP redirects to HTTPS automatically (301 redirect)
Strict-Transport-Security header enabled with a reasonable max-age
- No mixed content warnings (all resources loaded over HTTPS)
- Certificate chain is complete (intermediate certs included)
Security Headers
Content-Security-Policy set — restricts script and resource sources to prevent XSS
X-Frame-Options set to DENY or SAMEORIGIN — prevents clickjacking
X-Content-Type-Options: nosniff — stops MIME type sniffing
Referrer-Policy set (recommend strict-origin-when-cross-origin)
Permissions-Policy disables unused browser features
DNS Configuration
- DNSSEC enabled on your domain for integrity verification
- A/AAAA records point to the correct servers
- MX records configured correctly for email delivery
- SPF, DKIM, and DMARC records set up for email authentication
- No open DNS resolvers exposed on your infrastructure
Authentication and Access
- All accounts use strong, unique passwords (12+ characters)
- Multi-factor authentication (MFA) enabled on all admin accounts
- No default credentials left on any service or device
- Admin panels and sensitive endpoints not publicly exposed if possible
- Session management uses secure, HttpOnly, SameSite cookies
Software and Code
- CMS, plugins, themes, and dependencies up to date
- Unused plugins, themes, and extensions removed
- Server and application version numbers hidden from response headers and error pages
- Debug mode disabled in production
- Error pages don't leak stack traces or database information
Server Configuration
- Directory listing disabled on web server
- File upload restrictions in place (allowed extensions, size limits)
- Unnecessary ports closed or firewalled
- SSH uses key-based authentication, not passwords
- Database not accessible from the public internet
Backups
- Automated backups running on a regular schedule
- Backups stored offsite or in a separate location from the server
- Restore process tested and documented
- Database dumps included in backups
Monitoring
- Uptime monitoring active with alerts for downtime
- SSL certificate expiry alerts configured (at least 30 days before)
- Server logs reviewed periodically for suspicious activity
- Failed login attempts monitored and rate-limited