Security10 min readUpdated May 2025
Website Security Audit Checklist 2025: 40 Things to Check
A complete, actionable security checklist covering every check that matters in 2025. Use this before launch, after a major deployment, or as a quarterly security review.
Automate these checks with AuditAI →8
Security Headers
6
HTTPS & TLS
5
Content Security Policy
7
Exposed Paths & Data
6
Authentication & Sessions
8 checks
Security Headers
1
Content-Security-Policy (CSP) header set
CSP defines which sources can load scripts, styles, and media. Without it, attackers can inject malicious scripts via XSS.
2
Strict-Transport-Security (HSTS) header set
Forces browsers to always use HTTPS for your domain. Prevents protocol downgrade attacks and SSL stripping.
3
X-Frame-Options: DENY or SAMEORIGIN
Prevents your page from being loaded in an iframe on a malicious site — blocks clickjacking attacks.
4
X-Content-Type-Options: nosniff
Stops browsers from guessing (sniffing) the content type of responses, which can lead to executing malicious files.
5
Referrer-Policy set
Controls how much referrer information is sent with requests. Prevents leaking sensitive URL parameters to third parties.
6
Permissions-Policy (Feature-Policy) set
Restricts access to browser APIs like camera, microphone, geolocation. Reduce your attack surface even if JS is compromised.
7
Cross-Origin-Opener-Policy (COOP) set
Isolates your browsing context from cross-origin windows, mitigating Spectre-style attacks.
8
Cross-Origin-Resource-Policy (CORP) set
Prevents other sites from loading your resources — protects against cross-site data leaks.
6 checks
HTTPS & TLS
1
HTTPS enforced sitewide
Every page, including subpages, API endpoints, and admin areas, must load over HTTPS without falling back to HTTP.
2
HTTP redirects to HTTPS (301)
Any HTTP request should be permanently redirected to HTTPS — not just silently upgraded.
3
SSL certificate is valid
Certificate must be from a trusted CA, not self-signed, and must not be expired or expiring within 30 days.
4
SSL certificate covers all subdomains
If you use subdomains, the certificate should be a wildcard or SAN certificate that covers all of them.
5
TLS 1.2 or higher — no TLS 1.0/1.1
TLS 1.0 and 1.1 are deprecated and have known vulnerabilities (POODLE, BEAST). Disable them on your server.
6
Mixed content warnings resolved
HTTPS pages loading HTTP sub-resources (images, scripts, iframes) generate browser warnings and weaken encryption.
5 checks
Content Security Policy
1
CSP blocks inline scripts (no 'unsafe-inline')
Allowing unsafe-inline defeats most XSS protection. Move inline scripts to external files and use nonces for exceptions.
2
CSP uses nonces or hashes for necessary inline scripts
If inline scripts are unavoidable, use per-request nonces (cryptographic tokens) rather than 'unsafe-inline'.
3
CSP restricts script-src to known domains
Only whitelist domains you control or explicitly trust. A wildcard (*) or inclusion of CDNs that host user content weakens CSP significantly.
4
CSP has a report-uri or report-to directive
CSP violations should be reported to a collector endpoint so you can detect injection attempts in production.
5
CSP is set as HTTP header, not meta tag
Meta tag CSP doesn't protect against XSS in the HTTP headers themselves. Always set CSP as an HTTP response header.
7 checks
Exposed Paths & Data
1
/.env file returns 404 (not 200)
Environment files contain database passwords, API keys, and secrets. An exposed .env is a critical breach.
2
/.git/config returns 404
Exposed Git config files reveal repository structure and can allow full source code download.
3
/phpinfo.php returns 404
PHP info pages reveal server configuration, PHP version, loaded modules, and environment variables.
4
/wp-config.php returns 404
WordPress config files contain database credentials. Must never be publicly accessible.
5
/admin or /wp-admin is rate-limited
Admin login pages should implement rate limiting and ideally IP restriction to prevent brute force attacks.
6
No source maps deployed to production
Source maps (.map files) expose your minified application's original source code to anyone who looks.
7
Directory listing disabled on web server
If no index file exists, Apache/Nginx should return 403, not list all files in the directory.
6 checks
Authentication & Sessions
1
Session cookies have Secure flag
The Secure flag ensures cookies are only sent over HTTPS — prevents cookie theft via network interception.
2
Session cookies have HttpOnly flag
HttpOnly prevents JavaScript from reading cookies, stopping XSS attacks from stealing session tokens.
3
Session cookies have SameSite=Strict or Lax
SameSite protects against CSRF attacks by controlling when cookies are sent with cross-site requests.
4
CSRF protection on state-changing forms
POST, PUT, DELETE endpoints should require a CSRF token to prevent cross-site request forgery.
5
Password reset links expire after use
One-time password reset tokens should be invalidated immediately after use, not just after a time limit.
6
No credentials in URL parameters
API keys, tokens, or passwords in URLs are logged in browser history, server access logs, and referrer headers.
Don't check these manually — automate it
AuditAI automatically scans your security headers, HTTPS enforcement, exposed paths, and SSL certificate in under 30 seconds — free, no signup required.
Run Security Audit Free →Frequently Asked Questions
How often should you run a website security audit?+
Run a full security audit quarterly, or after any significant change — new deployment, CMS update, third-party integration, or infrastructure change. For production sites with sensitive data, monthly automated checks for security headers and exposed paths are recommended. Use AuditAI for fast free checks between formal audits.
What is the most critical security issue to fix first?+
HTTPS enforcement and exposed sensitive files (/.env, /.git/config) should be fixed immediately — they represent active data exposure risks. Security headers like CSP and HSTS are next, as they prevent common attack vectors like XSS and protocol downgrade attacks. Authentication and session issues should be addressed as part of your next development sprint.
Can AuditAI automate all 40 of these security checks?+
AuditAI automates the checks that are visible from the outside: HTTP security headers, HTTPS enforcement, exposed file paths, SSL certificate validity, and some authentication signals. Deep application-level checks (SQL injection, CSRF tokens in forms, server-side session management) require manual penetration testing or a dedicated DAST tool.