A comprehensive 50-point website security checklist covering headers, SSL, CORS, cookies, secrets, DNS, and more. Each item links to a specific ScanMyVibe check.
Your Complete Security Checklist
This is the definitive website security checklist for 2026. Every item is based on real-world breach data, OWASP guidelines, and the checks run by modern security scanners. Use this to audit any website systematically.
Each section corresponds to a module in the ScanMyVibe scanner, which can automatically check most of these items in under 30 seconds.
---
HTTP Security Headers
Security headers are your first line of defense. Over 73% of websites are missing at least one critical header.
[ ]Content-Security-Policy (CSP) is present and does not use unsafe-inline for scripts
[ ]Strict-Transport-Security (HSTS) is set with max-age of at least 31536000 (1 year)
[ ]HSTS includes includeSubDomains directive
[ ]HSTS preload is enabled and domain is submitted to hstspreload.org
[ ]X-Frame-Options is set to DENY or SAMEORIGIN
[ ]X-Content-Type-Options is set to nosniff
[ ]Referrer-Policy is set (strict-origin-when-cross-origin recommended)
[ ]Permissions-Policy disables unused browser features (camera, microphone, geolocation)
[ ]Cross-Origin-Opener-Policy is set to same-origin
[ ]Cross-Origin-Resource-Policy is set to same-origin or same-site
How to check: Run a ScanMyVibe scan — the Headers module checks all 10 items above and generates framework-specific fix code.
---
SSL/TLS Configuration
Encryption is baseline, but configuration details matter.
[ ]Valid SSL certificate with no expiration warnings
[ ]Full certificate chain is served (no missing intermediates)
[ ]TLS 1.2 minimum enforced (TLS 1.0 and 1.1 disabled)
[ ]TLS 1.3 support enabled for improved performance and security
[ ]Strong cipher suites only (no RC4, DES, 3DES, or export ciphers)
[ ]Forward secrecy enabled (ECDHE key exchange)
[ ]OCSP stapling configured
[ ]HTTP to HTTPS redirect works correctly (301, not 302)
[ ]No mixed content — all resources loaded over HTTPS
---
CORS (Cross-Origin Resource Sharing)
CORS misconfigurations are one of the most common API security vulnerabilities.
[ ]Access-Control-Allow-Origin does not reflect arbitrary origins
[ ]No wildcard origin with credentials (browsers block this, but check server config)
[ ]Null origin is not trusted
[ ]Specific domains whitelisted (no partial matching or regex that can be bypassed)
[ ]Access-Control-Allow-Methods only includes methods your API actually uses
[ ]Access-Control-Allow-Headers is restrictive (not wildcard)
[ ]Access-Control-Max-Age is set to cache preflight responses
---
Cookie Security
Every authentication cookie must be properly secured.
[ ]Secure flag set on all sensitive cookies (HTTPS only)
[ ]HttpOnly flag set on session and auth cookies (blocks JavaScript access)
[ ]SameSite attribute set to Lax or Strict (prevents CSRF)
[ ]Cookie path is scoped appropriately (not set to /)
[ ]Session cookies expire on browser close (no excessive Max-Age)
[ ]No sensitive data in cookies (user IDs, emails, tokens in clear text)
---
Information Disclosure
Attackers use leaked information to plan targeted attacks.
[ ]Server header does not reveal software name or version
[ ]X-Powered-By header is removed
[ ]No stack traces in error responses (production error pages only)
[ ]No .env files accessible via HTTP
[ ]No .git directory accessible via HTTP
[ ]No source maps in production (or restricted to authenticated users)
[ ]No backup files accessible (.bak, .old, .sql, .zip)
[ ]Directory listing is disabled
[ ]robots.txt does not reveal sensitive paths
[ ]No API keys or secrets in client-side JavaScript
---
Cross-Site Scripting (XSS) Prevention
XSS remains the most common web application vulnerability.
[ ]CSP blocks inline scripts (no unsafe-inline in script-src)
[ ]CSP blocks eval (no unsafe-eval in script-src)
[ ]User input is sanitized at system boundaries
[ ]No dangerouslySetInnerHTML / v-html with unsanitized user content
[ ]URL inputs validated (block javascript: protocol)
[ ]Subresource Integrity (SRI) on all third-party scripts
[ ]DOMPurify or equivalent used for any HTML rendering from user input
---
DNS and Domain Security
Your domain configuration affects security at the network level.
[ ]DNSSEC is enabled
[ ]CAA records specify which certificate authorities can issue certs for your domain
[ ]SPF record configured to prevent email spoofing
[ ]DKIM configured for email authentication
[ ]DMARC policy set (p=quarantine or p=reject)
[ ]No dangling DNS records pointing to decommissioned services (subdomain takeover risk)
---
Application Security
Beyond configuration, your application code matters.
[ ]Rate limiting on authentication endpoints
[ ]Account lockout after failed login attempts
[ ]CSRF protection on state-changing requests
[ ]Input validation on all API endpoints
[ ]SQL parameterized queries (no string concatenation in queries)
[ ]File upload restrictions (type, size, storage location)
[ ]Authentication tokens are cryptographically random and sufficiently long
[ ]Password hashing uses bcrypt, scrypt, or Argon2 (not MD5 or SHA-1)
---
How to Use This Checklist
Option 1: Manual audit. Go through each item above and verify your website's configuration. This takes 2-4 hours for a thorough review.
Option 2: Automated scan + manual review. Run a ScanMyVibe scan to automatically check the configuration-level items (headers, SSL, CORS, cookies, information disclosure, XSS vectors). Then manually review the application-level items that require code access. This takes about 30 minutes total.
Option 3: Continuous monitoring. Scan your production URL after every deployment. Catch regressions immediately instead of discovering them during a quarterly audit.
Priority Order
If you cannot do everything at once, fix issues in this order:
1. SSL/TLS basics — Valid certificate, HTTPS redirect, TLS 1.2 minimum
2. Security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options
3. Cookie security — Secure, HttpOnly, SameSite on all auth cookies
4. Information disclosure — Remove server versions, debug output, exposed files
5. CORS — Whitelist specific origins, remove wildcard configurations
6. DNS security — DNSSEC, CAA, SPF, DKIM, DMARC
7. Application hardening — Rate limiting, CSRF, input validation
Items 1-4 can be completed in a single afternoon and address the most common breach vectors.
Start Now
The fastest path to a secure website: scan your site with ScanMyVibe, get your results in 30 seconds, and start working through the findings from highest to lowest severity. Every finding includes an AI-generated fix prompt you can paste directly into Cursor, Copilot, or Claude.
Security is not a one-time task. Bookmark this checklist, scan after every deployment, and keep improving. The attackers are scanning your site already — make sure you are too.