Website Security Checklist: 15 Things to Check in 2026

Whether you run a personal blog or a business-critical web application, these 15 checks form the foundation of a secure online presence. Use our Website Scanner to automate many of these checks at once, or work through them individually below.

1. Valid SSL/TLS Certificate

Your site must have a valid, unexpired SSL/TLS certificate from a trusted Certificate Authority. Check that the certificate covers your domain (including www), uses strong encryption (TLS 1.2 or 1.3), and has not been revoked. Use our SSL Checker to verify your certificate in seconds.

2. HTTPS Redirects

Having an SSL certificate is not enough — all HTTP traffic must redirect to HTTPS. Test that http://yourdomain.com permanently redirects (301) to https://yourdomain.com. Check for mixed content warnings where HTTPS pages load HTTP resources. Our Redirect Checker traces the full redirect chain for any URL.

3. HTTP Strict Transport Security (HSTS)

HSTS tells browsers to always use HTTPS for your domain, preventing SSL stripping attacks. Verify that your server sends the Strict-Transport-Security header with a max-age of at least 31536000 (one year). Consider adding includeSubDomains and submitting to the HSTS preload list. Check with our HTTP Headers Checker.

4. Content Security Policy (CSP)

A Content Security Policy header controls which resources the browser is allowed to load, preventing cross-site scripting (XSS) and data injection attacks. Start with a report-only policy, monitor violations, and then enforce. At minimum, restrict script-src, style-src, and default-src directives.

5. X-Frame-Options / frame-ancestors

Prevent your site from being embedded in iframes on malicious sites (clickjacking). Set X-Frame-Options: DENY or SAMEORIGIN, or use the CSP frame-ancestors directive for more granular control. Verify this header is present using our HTTP Headers Checker.

6. DMARC Record

DMARC prevents attackers from sending emails that appear to come from your domain. Every domain — even those that do not send email — should have a DMARC record. Aim for p=reject for maximum protection. Check your policy with our DMARC Checker.

7. SPF Record

SPF specifies which mail servers are authorized to send email on behalf of your domain. Ensure your SPF record is valid, does not exceed 10 DNS lookups, and ends with -all (hard fail) or ~all (soft fail). Validate with our SPF Checker.

8. DKIM Configuration

DKIM adds a cryptographic signature to outgoing emails, allowing recipients to verify the message was not altered in transit. Ensure your DKIM key is at least 2048 bits and that your DNS record is correctly published. Verify with our DKIM Checker.

9. DNS Security

Review your DNS configuration for security weaknesses. Ensure you are using reputable nameservers, have no dangling CNAME records (which enable subdomain takeover), and consider enabling DNSSEC if your registrar supports it. Use our DNS Lookup to audit all your DNS records.

10. Open Ports

Only necessary ports should be open on your server. Common web ports (80, 443) are expected, but open database ports (3306, 5432), admin panels (8080, 8443), or unencrypted services (21, 23) are security risks. Scan your server with our Port Scanner to identify exposed services.

11. Domain Expiration Monitoring

An expired domain can be snatched by attackers for phishing or brand impersonation. Verify your domain's expiration date and enable auto-renewal. Check your registration details with a WHOIS Lookup and consider registering your domain for multiple years.

12. WHOIS Privacy

Public WHOIS records can expose your name, address, email, and phone number to spammers and attackers. Enable WHOIS privacy protection (also called domain privacy) through your registrar. Most registrars offer this for free. Verify what is publicly visible with our WHOIS Lookup.

13. Security Headers Audit

Beyond HSTS and CSP, verify that your server sends these additional security headers:

• X-Content-Type-Options: nosniff — prevents MIME type sniffing.
• Referrer-Policy: strict-origin-when-cross-origin — controls referrer information leakage.
• Permissions-Policy — restricts browser features like camera, microphone, and geolocation access.

Check all headers at once with our HTTP Headers Checker.

14. Software and Dependencies Up to Date

Outdated CMS software, plugins, frameworks, and server software are the most common attack vectors. Enable automatic security updates where possible. For WordPress sites, keep core, themes, and all plugins updated. For custom applications, regularly run npm audit or equivalent dependency scanners and address critical vulnerabilities promptly.

15. Backup and Recovery Strategy

Security is not only about prevention — it is also about recovery. Ensure you have automated, regular backups stored in a separate location from your primary server. Test your backup restoration process periodically. A good strategy follows the 3-2-1 rule: 3 copies of your data, on 2 different storage types, with 1 copy offsite. This protects against ransomware, accidental deletion, and server failures.

Run All Checks at Once

Manually checking each item is thorough but time-consuming. Our Website Scanner automates many of these security checks in a single scan, covering SSL, headers, DNS, email authentication, and more. For a complete domain health overview, use our Domain Health Checker.