ChecklistsMay 25, 202611 min read

The Complete Website Security Audit Checklist (2026 Edition)

A comprehensive, practical website security audit checklist for 2026 — every category to test across email, transport, headers, DNS, exposure and threat intelligence, with fixes.

How to use this checklist

This is the checklist Exarlo's own automated audit is built around — the 60+ public-surface checks grouped into the categories an attacker probes first. Work through it section by section. Where you find a gap, follow the linked deep-dive. To have all of it tested and prioritised for you automatically, run the $149 audit.

1. Transport security (HTTPS / TLS)

  • HTTP automatically redirects to HTTPS sitewide
  • Certificate valid, trusted, and not expiring within 30 days
  • Only TLS 1.2 and 1.3 enabled (TLS 1.0/1.1 disabled)
  • Strong cipher suites only; no known-weak ciphers
  • HSTS header present, with a long max-age and preload where appropriate

Weak transport security exposes visitors to interception and downgrade attacks.

2. HTTP security headers

  • Content-Security-Policy restricting scripts and resources
  • X-Frame-Options or frame-ancestors to prevent clickjacking
  • X-Content-Type-Options: nosniff
  • Referrer-Policy and Permissions-Policy set
  • No sensitive data leaking in headers

Headers are the highest-ROI fix in security — minutes of work, whole attack classes mitigated. See secure headers in practice.

3. Email authentication

  • SPF record present and correctly scoped
  • DKIM configured and signing outbound mail
  • DMARC policy set to quarantine or reject (not p=none)
  • Alignment between SPF/DKIM and the From domain

Without these, your domain can be spoofed for phishing. Full walkthrough: DMARC, SPF and DKIM audit.

4. DNS and domain hygiene

  • No dangling DNS records pointing at unclaimed services (takeover risk)
  • CAA records restricting who can issue certificates
  • Registrar lock and DNSSEC where supported
  • Look-alike / typosquat domains monitored for brand abuse

5. Network and service exposure

  • No databases, caches, or admin panels reachable from the internet
  • Only necessary ports open; everything else firewalled
  • No staging or development environments publicly indexed
  • Cloud storage buckets not publicly listable (cloud misconfig risk)

6. Application and component hygiene

  • No software version banners advertised
  • CMS, frameworks, and libraries patched to current versions
  • Default credentials and sample files removed
  • Aligned against the OWASP Top 10 and SQL injection defences
  • API endpoints authenticated and rate-limited (API security)

7. Threat intelligence

  • No company credentials in public breach datasets
  • Phishing-resistant MFA enforced for staff (MFA bypass risk)
  • Brand-impersonation domains identified and reported

8. Process and monitoring

  • Audits run on a recurring cadence, not just once
  • Findings tracked to closure with re-testing
  • Surface re-baselined after every significant release
  • An incident-response contact and plan exist

Turning the checklist into action

A checklist is only useful if someone runs it consistently. Manual passes drift; people forget step 12. That is exactly why automated audits exist — to run the entire list the same way, every time, and hand you a prioritised report instead of a to-do list. To benchmark your spend first, read how much a security audit costs, then generate your full audit and check every box at once.

Find your vulnerabilities before attackers do.

Our automated $149 security audit maps your public attack surface and checks for misconfigurations, outdated components, and missing security headers.

Get Your Security Audit