← Back to blog
2026-04-11·7 min read

Website Security Audit Checklist — 18 Checks in 2 Minutes

Why run a security audit

Most websites have at least 3 security misconfigurations. These issues are invisible until someone exploits them.

The 18-point checklist

SSL/TLS (5 checks)

  • Certificate valid and not expired
  • TLS 1.2+ supported
  • Complete certificate chain
  • Strong key (2048-bit+)
  • HSTS header present

    • Email Security (4 checks)

  • SPF record exists
  • DKIM configured
  • DMARC with policy
  • SPF under 10 lookups

    • HTTP Headers (5 checks)

  • Content-Security-Policy set
  • X-Frame-Options prevents clickjacking
  • X-Content-Type-Options: nosniff
  • Referrer-Policy configured
  • Permissions-Policy set

    • DNS & Infrastructure (3 checks)

  • Reputable DNS provider
  • Domain not expiring soon
  • WHOIS privacy enabled

    • Breach Intelligence (1 check)

  • Domain not in known breaches

    • Run all 18 checks automatically

    [CQwerty Shield](/) runs all 18 checks in 2 minutes. You get letter grades, a security score, remediation steps, and CVE references.

    [Run your audit now →](/)

    Ready to check your domain?

    Run all 18 security checks in 2 minutes. Free, no signup required.

    Run full scan