Website Security Checklist
Essential website security checklist: SSL/TLS configuration, headers, authentication, updates, backups, and monitoring. Prioritized for maximum impact.
Website security isn't one thing -- it's a stack of protections, each covering a different attack surface. The challenge isn't knowing what to do; it's knowing what to do first. This checklist is prioritized by impact: start at the top, work your way down, and you'll cover the items that prevent the most damage first.
No checklist is exhaustive, but this one covers the essentials that every website should have in place.
Tier 1: Critical (Do These First)
These items prevent the most common and damaging attacks. If any of these are missing, fix them before anything else.
Valid SSL/TLS certificate on all pages
Every page on your site should be served over HTTPS with a valid certificate. Not just the login page or checkout -- every page. Check that the certificate is issued by a trusted CA, hasn't expired, and covers all your domains and subdomains (including www and non-www).
How to verify: Visit your site and check for the padlock icon, or run it through Qualys SSL Labs (ssllabs.com/ssltest).
HTTPS everywhere with HTTP redirect
All HTTP traffic should redirect to HTTPS using a 301 permanent redirect. No page should be accessible over plain HTTP. This includes assets (images, scripts, stylesheets) -- mixed content warnings mean something is still loading over HTTP.
How to verify: Try visiting http://yoursite.com and confirm it redirects to https://yoursite.com.
Strong TLS configuration
Disable TLS 1.0 and TLS 1.1 -- they have known vulnerabilities. Only support TLS 1.2 and TLS 1.3. Disable weak cipher suites (anything with RC4, DES, or export-grade ciphers). Prioritize ciphers that support forward secrecy (ECDHE).
How to verify: Qualys SSL Labs will grade your TLS configuration and flag weak protocols and ciphers.
HSTS (HTTP Strict Transport Security)
Add the Strict-Transport-Security header to tell browsers to always use HTTPS for your domain. This prevents SSL stripping attacks where an attacker downgrades a connection from HTTPS to HTTP.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
How to verify: Check your response headers using browser dev tools (Network tab) or curl -I https://yoursite.com.
Security headers
Configure these essential HTTP security headers:
- Content-Security-Policy (CSP): Controls which resources the browser can load. Prevents XSS attacks by restricting script sources.
- X-Content-Type-Options: Set to
nosniffto prevent MIME type sniffing. - X-Frame-Options: Set to
DENYorSAMEORIGINto prevent clickjacking via iframes. - Referrer-Policy: Control how much referrer information is sent with requests.
strict-origin-when-cross-originis a good default. - Permissions-Policy: Restrict access to browser features (camera, microphone, geolocation).
How to verify: Use securityheaders.com to scan your site and get a grade.
SSL certificate monitoring
Set up automated monitoring that checks your certificates daily and alerts you before they expire. This catches renewal failures, configuration drift, and certificates you forgot about. Escalating alerts (30, 14, 7, 3, 1 day) ensure you can't accidentally ignore an upcoming expiry.
How to verify: Confirm you have monitoring in place for every domain and subdomain you operate.
Don't skip HSTS
Without HSTS, the first request to your site can still be intercepted over HTTP before the redirect to HTTPS happens. HSTS eliminates this window by telling the browser to never even try HTTP.
Check the first box: SSL monitoring
Monitor your certificates and get alerts before they expire. The easiest security win.
Tier 2: Important (Do These Next)
These items address common attack vectors and operational risks. They're less urgent than Tier 1 but still essential for a secure website.
Keep software updated
Update your web server (Nginx, Apache), CMS (WordPress, etc.), frameworks, libraries, and operating system regularly. Most breaches exploit known vulnerabilities with available patches. Subscribe to security mailing lists for your stack and apply critical updates promptly.
How to verify: Check version numbers against the latest stable releases. Use tools like npm audit, pip audit, or Dependabot for dependency scanning.
Strong authentication
Enforce strong passwords (minimum 12 characters, no common passwords). Implement multi-factor authentication (MFA) for all admin accounts and sensitive operations. Use rate limiting on login endpoints to prevent brute force attacks. Consider implementing account lockout after repeated failed attempts.
How to verify: Try common passwords on your login page. Verify MFA is enabled for all admin users. Test rate limiting by making rapid login attempts.
Backup strategy
Maintain regular, automated backups of your database and files. Store backups off-site (different server, cloud storage). Test restore procedures quarterly -- a backup you can't restore is not a backup. Encrypt backup files at rest.
How to verify: Restore from your most recent backup to a test environment. Verify data integrity.
Access control
Apply the principle of least privilege: every user and service account should have only the permissions they need. Review access regularly. Remove accounts for departed team members immediately. Use separate accounts for admin and routine tasks.
How to verify: Audit user accounts and permissions quarterly. Check for dormant accounts and excessive privileges.
Input validation and output encoding
Validate all user input on the server side (client-side validation is easily bypassed). Encode output to prevent XSS. Use parameterized queries to prevent SQL injection. Never trust data from the client.
How to verify: Run a web application scanner like OWASP ZAP against your site. Test forms with common injection payloads.
Tier 3: Good Practice (Strengthen Your Posture)
These items provide defense in depth. They're not the first things to implement, but they meaningfully improve your security once the basics are covered.
Content Security Policy fine-tuning
Start with a report-only CSP to identify what your policy would block, then gradually tighten it. A well-configured CSP is one of the strongest defenses against XSS attacks. Use nonces or hashes for inline scripts rather than unsafe-inline.
Subresource Integrity (SRI)
Add integrity attributes to external scripts and stylesheets. SRI ensures that if a CDN is compromised, tampered files won't execute in your users' browsers. <script src="..." integrity="sha384-..." crossorigin="anonymous">.
Rate limiting and DDoS protection
Implement rate limiting on API endpoints, login pages, and form submissions. Use a CDN with DDoS protection (Cloudflare, AWS CloudFront) for public-facing sites. Rate limiting prevents abuse; DDoS protection prevents volumetric attacks.
Logging and alerting
Log security-relevant events: failed logins, permission changes, admin actions, error spikes. Send alerts for anomalous patterns. Logs are useless if nobody looks at them -- set up automated alerting for suspicious activity.
Regular security scanning
Run automated vulnerability scans monthly. Use tools like OWASP ZAP, Nessus, or Qualys for different perspectives. Schedule penetration tests annually if your budget allows. Fix critical findings promptly.
DNS security
Enable DNSSEC to prevent DNS spoofing. Use CAA records to restrict which CAs can issue certificates for your domain. Monitor Certificate Transparency logs for unauthorized certificate issuance.
The Verification Toolkit
You don't need expensive tools to verify most of this checklist. These free resources cover the essentials:
| Tool | What It Checks | URL |
|---|---|---|
| Qualys SSL Labs | SSL/TLS configuration | ssllabs.com/ssltest |
| SecurityHeaders.com | HTTP security headers | securityheaders.com |
| Mozilla Observatory | Overall web security | observatory.mozilla.org |
| OWASP ZAP | Web application vulnerabilities | zaproxy.org |
| Hardenize | SSL, DNS, email security | hardenize.com |
| crt.sh | Certificate Transparency logs | crt.sh |
Making It Stick
A checklist is only useful if it leads to action. Here's how to make this sustainable:
Start with Tier 1. Don't try to implement everything at once. Get the critical items in place first. They cover the most surface area with the least effort.
Schedule quarterly reviews. Security isn't a one-time project. Set a calendar reminder to revisit this checklist every quarter. Check for new vulnerabilities, review access controls, and verify that automated processes (backups, monitoring, certificate renewal) are still working.
Assign ownership. Every item on this list should have a person responsible for it. "The team" isn't an owner. Name a specific person who's accountable for SSL certificates, for backups, for software updates.
Automate what you can. Automated certificate renewal, automated dependency scanning, automated backups, automated monitoring. The fewer things that depend on someone remembering to do them, the more reliably they get done.
The items at the top of this list -- valid SSL, HTTPS everywhere, strong TLS, security headers, and certificate monitoring -- are the fastest to implement and prevent the most common attacks. Start there. Today.
Related Articles
Security is a process, not a checkbox. But checklists are a pretty good place to start.
Never miss an SSL certificate expiry
Monitor your certificates and get alerts before they expire. Free for up to 3 certificates.