Skip to main content
New: 200+ SEO checks now available. See what's new
← All guides

Website Security Checklist

A practical, actionable security checklist for website owners and developers. Cover the essentials to protect your site and users.

10 min readUpdated March 2026

1. HTTPS & SSL/TLS

HTTPS encrypts data in transit between your users and your server. It is a baseline requirement, not optional.

  • Valid SSL/TLS certificate installed (not expired, correct domain)
  • TLS 1.2 or 1.3 — disable TLS 1.0 and 1.1
  • 301 redirect from HTTP to HTTPS on all pages
  • No mixed content (HTTP resources on HTTPS pages)
  • HSTS header enabled with a minimum max-age of 1 year
HTTP Header
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

2. Security headers

HTTP response headers are your first line of defense against XSS, clickjacking, and data injection attacks.

HTTP Headers
Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
  • Content-Security-Policy: Controls which resources the browser can load
  • X-Content-Type-Options: Prevents MIME-type sniffing
  • X-Frame-Options: Blocks clickjacking via iframes
  • Referrer-Policy: Controls how much referrer info is shared
  • Permissions-Policy: Restricts browser feature access
Dr Urls checks all of these headers automatically during a security audit.

Check your security headers instantly. Run a free scan on Dr Urls.

Check your site

3. Authentication & access control

  • Enforce strong password policies (12+ characters, complexity)
  • Implement multi-factor authentication (MFA/2FA)
  • Rate-limit login attempts to prevent brute force
  • Use secure, HttpOnly, SameSite cookies for sessions
  • Implement CSRF protection on all state-changing forms
  • Admin panels are not publicly accessible or discoverable
Never store passwords in plain text. Use bcrypt, scrypt, or Argon2 for hashing.

4. Input validation

  • Validate and sanitize all user input on the server side
  • Use parameterized queries to prevent SQL injection
  • Encode output to prevent XSS (HTML, JS, URL contexts)
  • Validate file uploads (type, size, content)
  • Implement Content-Security-Policy to mitigate XSS impact

5. Dependency management

  • Audit npm/pip/composer packages regularly for vulnerabilities
  • Use lock files (package-lock.json, pnpm-lock.yaml)
  • Enable automated security alerts (Dependabot, Snyk)
  • Remove unused dependencies
  • Pin CMS/framework versions and apply security patches promptly

Want to see how your site stacks up? Run a free audit now.

Check your site

6. Monitoring & incident response

  • Set up uptime monitoring with alerting
  • Monitor error logs for unusual patterns
  • Configure Web Application Firewall (WAF) rules
  • Have an incident response plan documented
  • Regularly scan for malware and injected scripts

7. Backup & recovery

  • Automate daily backups of database and files
  • Store backups off-site (different cloud region/provider)
  • Test restore procedures quarterly
  • Encrypt backups at rest
  • Define Recovery Point Objective (RPO) and Recovery Time Objective (RTO)

Related guides

Complete SEO Audit Checklist 2026Page Speed Optimization GuideWeb Accessibility Checklist

Check your website now — free

Run a comprehensive audit across SEO, security, performance, and accessibility. No sign-up required.

Check your website
Website Security Checklist | Dr Urls | Dr Urls