Domain Security Audit: Complete Checklist with Free Tools

A single misconfiguration can expose your domain to attackers. This 8-step audit covers every layer of domain security — from SSL certificates to open ports — with free tools to test each one.

Security Audit Checklist

1
SSL Certificate Check
Verify your SSL certificate is valid, not expired, and covers all required domains including www and subdomains. An expired or misconfigured certificate breaks trust and search rankings.
Check SSL Certificate
2
Security Headers Scan
Audit HTTP security headers including Content-Security-Policy, X-Frame-Options, HSTS, and X-Content-Type-Options. Missing headers leave your domain vulnerable to XSS, clickjacking, and MIME sniffing.
Scan Security Headers
3
TLS Version Test
Confirm your server supports TLS 1.2 and TLS 1.3 while disabling deprecated versions like TLS 1.0 and 1.1. Outdated TLS versions have known vulnerabilities that attackers actively exploit.
Check TLS Version
4
Cipher Suite Scan
Review your server's cipher suite configuration. Weak ciphers like RC4 or DES should be disabled. Prefer AEAD ciphers such as AES-GCM and ChaCha20-Poly1305.
Scan Cipher Suites
5
DNSSEC Verification
Check whether DNSSEC is enabled for your domain. DNSSEC adds cryptographic signatures to DNS responses, preventing cache poisoning and man-in-the-middle attacks on DNS queries.
Verify DNSSEC
6
Website Security Scan
Run a comprehensive security scan to identify common vulnerabilities, outdated software, and exposed sensitive files or directories on your web server.
Scan Website Security
7
Port Scan
Identify open ports on your server. Every open port is a potential attack surface. Only ports required for your services (typically 80, 443, and 25 for mail) should be accessible.
Run Port Scan
8
HTTP Redirect Check
Verify that HTTP properly redirects to HTTPS and that redirect chains are clean. Mixed content, redirect loops, or missing HSTS headers undermine your TLS deployment.
Check Redirects

Quick Reference

Step 1: SSL Certificate Check
Step 2: Security Headers Scan
Step 3: TLS Version Test
Step 4: Cipher Suite Scan
Step 5: DNSSEC Verification
Step 6: Website Security Scan
Step 7: Port Scan
Step 8: HTTP Redirect Check

Frequently Asked Questions

How often should I audit my domain security?: Run a full security audit quarterly, and immediately after any server configuration changes, certificate renewals, or security incidents. Automated monitoring is recommended for SSL expiry and header changes.
What is the most critical security header to implement?: Content-Security-Policy (CSP) is the most impactful because it prevents cross-site scripting (XSS) attacks. However, HSTS is equally important as it forces HTTPS and prevents downgrade attacks. Implement both.
Does DNSSEC affect website performance?: DNSSEC adds minimal overhead — typically 1-5ms per DNS query for signature validation. The security benefits far outweigh this negligible latency increase. Most modern resolvers handle DNSSEC validation efficiently.

Secure Your Domain Today

Work through all 8 checks to identify and fix vulnerabilities. All tools are free with no signup.

Browse All Tools

Security Audit Checklist

SSL Certificate Check

Verify your SSL certificate is valid, not expired, and covers all required domains including www and subdomains. An expired or misconfigured certificate breaks trust and search rankings.

Check SSL Certificate

Security Headers Scan

Audit HTTP security headers including Content-Security-Policy, X-Frame-Options, HSTS, and X-Content-Type-Options. Missing headers leave your domain vulnerable to XSS, clickjacking, and MIME sniffing.

Scan Security Headers

TLS Version Test

Confirm your server supports TLS 1.2 and TLS 1.3 while disabling deprecated versions like TLS 1.0 and 1.1. Outdated TLS versions have known vulnerabilities that attackers actively exploit.

Check TLS Version

Cipher Suite Scan

Review your server's cipher suite configuration. Weak ciphers like RC4 or DES should be disabled. Prefer AEAD ciphers such as AES-GCM and ChaCha20-Poly1305.

Scan Cipher Suites

DNSSEC Verification

Check whether DNSSEC is enabled for your domain. DNSSEC adds cryptographic signatures to DNS responses, preventing cache poisoning and man-in-the-middle attacks on DNS queries.

Verify DNSSEC

Website Security Scan

Run a comprehensive security scan to identify common vulnerabilities, outdated software, and exposed sensitive files or directories on your web server.

Scan Website Security

Port Scan

Identify open ports on your server. Every open port is a potential attack surface. Only ports required for your services (typically 80, 443, and 25 for mail) should be accessible.

Run Port Scan

HTTP Redirect Check

Verify that HTTP properly redirects to HTTPS and that redirect chains are clean. Mixed content, redirect loops, or missing HSTS headers undermine your TLS deployment.

Check Redirects

Frequently Asked Questions

How often should I audit my domain security?

Run a full security audit quarterly, and immediately after any server configuration changes, certificate renewals, or security incidents. Automated monitoring is recommended for SSL expiry and header changes.

What is the most critical security header to implement?

Content-Security-Policy (CSP) is the most impactful because it prevents cross-site scripting (XSS) attacks. However, HSTS is equally important as it forces HTTPS and prevents downgrade attacks. Implement both.

Does DNSSEC affect website performance?

DNSSEC adds minimal overhead — typically 1-5ms per DNS query for signature validation. The security benefits far outweigh this negligible latency increase. Most modern resolvers handle DNSSEC validation efficiently.