How to Check If Your Website Is Secure: A 10-Minute Self-Audit
A practical, step-by-step self-audit to check if your website is secure — covering HTTPS, headers, email spoofing, exposed services and more, plus when to get a professional audit.
Can you check your own website's security?
Yes — you can catch a surprising share of real-world risk in about ten minutes with nothing but a browser. This self-audit walks through the checks attackers run first. It will not replace a full automated security audit, but it will tell you whether you have urgent problems right now.
1. Confirm HTTPS is enforced (1 min)
Load your site with http:// (not https). It should automatically redirect to HTTPS. If it loads over plain HTTP, any data your visitors send can be intercepted. Then click the padlock and check the certificate is valid and not expiring within 30 days. Bonus: confirm an HSTS header is present so browsers refuse to downgrade — more on that below.
2. Inspect your security headers (2 min)
Open your browser's developer tools, go to the Network tab, reload, and click the main document request. Look at the Response Headers for:
- Strict-Transport-Security (HSTS)
- Content-Security-Policy (CSP)
- X-Frame-Options or a frame-ancestors CSP directive
- X-Content-Type-Options: nosniff
Missing headers are one of the most common — and cheapest to fix — findings we see. Our developer's guide to secure headers shows exactly what to set.
3. Test for email spoofing (2 min)
Most owners never check this, and it is a top vector for fraud. Your domain needs three DNS records working together: SPF, DKIM, and an enforcing DMARC policy. If DMARC is missing or set to "p=none," attackers can send email that looks like it came from you. Use any public DMARC lookup tool, or read our full DMARC, SPF and DKIM audit guide.
4. Look for exposed services and subdomains (2 min)
Search your domain on a public exposure search engine (Shodan-style) to see which ports and services are visible to the internet. Database ports, admin panels, and staging environments should never be publicly reachable. While you are at it, list your subdomains — forgotten ones pointing at unclaimed services create subdomain takeover risk.
5. Check for leaked credentials (1 min)
Enter your company email domain into a breach-notification service. If staff credentials appear in public breach data, assume attackers have them too and rotate passwords plus enable phishing-resistant MFA. Attackers increasingly bypass weak MFA, as we cover in how attackers are bypassing MFA.
6. Audit your technology fingerprint (2 min)
View the page source and response headers for version banners — server software, CMS, and framework versions. Advertised versions let attackers match you to known exploits. Suppress banners where you can and keep components patched. Running WordPress? Follow our WordPress security audit steps.
What the self-audit can't tell you
A manual check catches the obvious, but it cannot correlate findings, score your overall risk, or test the dozens of additional checks a scanner runs in parallel. It also will not catch authenticated vulnerabilities or business-logic flaws. Think of this as triage, not a clean bill of health.
The 10-minute audit checklist
- HTTP redirects to HTTPS, certificate valid, HSTS present
- CSP, X-Frame-Options, X-Content-Type-Options set
- SPF, DKIM, and enforcing DMARC configured
- No databases, admin panels, or staging exposed publicly
- No company credentials in public breach data
- No software version banners leaking
If any item is unchecked, you have work to do. To go from a ten-minute glance to a prioritised, 60+ check report with remediation steps and a $ exposure estimate, run a full Exarlo audit — or first review the complete website security audit checklist.
Find your vulnerabilities before attackers do.
Our automated $149 security audit maps your public attack surface and checks for misconfigurations, outdated components, and missing security headers.
Get Your Security Audit