← Back to Learn

Website Security Checklist

A comprehensive checklist covering every layer of your website's security posture. Check off each item as you implement it.

This checklist covers the essential security controls every website should have in place: SSL/TLS encryption, HTTP security headers, email authentication, DNS hardening, cookie security, domain management, and ongoing monitoring. Each item links to a free tool you can use to verify your configuration.

Your progress0/38 (0%)

SSL/TLS Configuration

0/6
Install a valid SSL/TLS certificate on all domains and subdomainsSSL Checker
Enforce HTTPS by redirecting all HTTP traffic to HTTPSRedirect Checker
Use TLS 1.2 or TLS 1.3 only (disable TLS 1.0 and 1.1)TLS Checker
Verify the full certificate chain is correctly configuredCert Chain Checker
Set up certificate expiry monitoring and auto-renewalSSL Checker
Publish a CAA record to restrict which CAs can issue certificates for your domainDNS Lookup

HTTP Security Headers

0/6
Enable HSTS (Strict-Transport-Security) with a max-age of at least one yearHSTS Checker
Deploy a Content-Security-Policy to prevent XSS and injection attacksCSP Checker
Set X-Frame-Options to DENY or SAMEORIGIN to prevent clickjackingHeaders Checker
Set X-Content-Type-Options to nosniffHeaders Checker
Configure Referrer-Policy to limit URL leakage to third partiesHeaders Checker
Set Permissions-Policy to disable unused browser APIs (camera, microphone, geolocation)Headers Checker

Email Authentication

0/5
Publish an SPF record listing all authorized mail serversSPF Checker
Configure DKIM signing for all outbound emailDMARC Checker
Publish a DMARC policy and move toward p=rejectDMARC Checker
Set up DMARC aggregate reporting to monitor authentication resultsDMARC Checker
Verify MX records point to legitimate mail serversMX Lookup

DNS Security

0/5
Enable DNSSEC to protect against DNS spoofingDNS Lookup
Audit for dangling DNS records pointing to decommissioned servicesDNS Lookup
Use a reputable DNS provider with DDoS protection
Set appropriate TTLs (not too high, not too low) on critical recordsDNS Lookup
Publish a CAA record to control certificate issuanceDNS Lookup

Cookie Security

0/5
Set the Secure flag on all cookies so they are only sent over HTTPSCookie Checker
Set the HttpOnly flag on session cookies to prevent JavaScript accessCookie Checker
Use SameSite=Lax or SameSite=Strict to mitigate CSRF attacksCookie Checker
Set appropriate expiration times on session cookiesCookie Checker
Use the __Host- or __Secure- cookie prefix for sensitive cookiesCookie Checker

Domain and Certificate Management

0/5
Enable registrar lock to prevent unauthorized domain transfersWHOIS Lookup
Enable WHOIS privacy protectionWHOIS Lookup
Monitor domain expiry dates and renew well in advanceWHOIS Lookup
Use multi-factor authentication on your domain registrar account
Track certificate transparency logs for unauthorized certificate issuanceSSL Checker

Monitoring and Ongoing Checks

0/6
Run regular security scans against all public-facing domains
Monitor for your domain appearing on email blocklistsBlacklist Checker
Check IP reputation regularlyIP Reputation
Review robots.txt for unintended path disclosuresRobots.txt Checker
Scan for open ports and close unnecessary servicesPort Scanner
Set up uptime monitoring and certificate expiry alertsSSL Checker

Learn more about each topic

SSL/TLS Certificates Explained →Security Headers Deep Dive →Email Authentication Deep Dive →DNS Security Guide →What is DMARC? →What is SPF? →HTTP Headers Explained →WHOIS and Domain Registration →

Run a full security scan

Check all of the above automatically with a single scan of your domain.

Scan my domain