This checklist covers the essential security controls every website should have in place: SSL/TLS encryption, HTTP security headers, email authentication, DNS hardening, cookie security, domain management, and ongoing monitoring. Each item links to a free tool you can use to verify your configuration.
Your progress0/38 (0%)
SSL/TLS Configuration
0/6Install a valid SSL/TLS certificate on all domains and subdomainsSSL Checker →
Enforce HTTPS by redirecting all HTTP traffic to HTTPSRedirect Checker →
Use TLS 1.2 or TLS 1.3 only (disable TLS 1.0 and 1.1)TLS Checker →
Verify the full certificate chain is correctly configuredCert Chain Checker →
Set up certificate expiry monitoring and auto-renewalSSL Checker →
Publish a CAA record to restrict which CAs can issue certificates for your domainDNS Lookup →
HTTP Security Headers
0/6Enable HSTS (Strict-Transport-Security) with a max-age of at least one yearHSTS Checker →
Deploy a Content-Security-Policy to prevent XSS and injection attacksCSP Checker →
Set X-Frame-Options to DENY or SAMEORIGIN to prevent clickjackingHeaders Checker →
Set X-Content-Type-Options to nosniffHeaders Checker →
Configure Referrer-Policy to limit URL leakage to third partiesHeaders Checker →
Set Permissions-Policy to disable unused browser APIs (camera, microphone, geolocation)Headers Checker →
Email Authentication
0/5Publish an SPF record listing all authorized mail serversSPF Checker →
Configure DKIM signing for all outbound emailDMARC Checker →
Publish a DMARC policy and move toward p=rejectDMARC Checker →
Set up DMARC aggregate reporting to monitor authentication resultsDMARC Checker →
Verify MX records point to legitimate mail serversMX Lookup →
DNS Security
0/5Enable DNSSEC to protect against DNS spoofingDNS Lookup →
Audit for dangling DNS records pointing to decommissioned servicesDNS Lookup →
Use a reputable DNS provider with DDoS protection
Set appropriate TTLs (not too high, not too low) on critical recordsDNS Lookup →
Publish a CAA record to control certificate issuanceDNS Lookup →
Cookie Security
0/5Set the Secure flag on all cookies so they are only sent over HTTPSCookie Checker →
Set the HttpOnly flag on session cookies to prevent JavaScript accessCookie Checker →
Use SameSite=Lax or SameSite=Strict to mitigate CSRF attacksCookie Checker →
Set appropriate expiration times on session cookiesCookie Checker →
Use the __Host- or __Secure- cookie prefix for sensitive cookiesCookie Checker →
Domain and Certificate Management
0/5Enable registrar lock to prevent unauthorized domain transfersWHOIS Lookup →
Enable WHOIS privacy protectionWHOIS Lookup →
Monitor domain expiry dates and renew well in advanceWHOIS Lookup →
Use multi-factor authentication on your domain registrar account
Track certificate transparency logs for unauthorized certificate issuanceSSL Checker →
Monitoring and Ongoing Checks
0/6Run regular security scans against all public-facing domains
Monitor for your domain appearing on email blocklistsBlacklist Checker →
Check IP reputation regularlyIP Reputation →
Review robots.txt for unintended path disclosuresRobots.txt Checker →
Scan for open ports and close unnecessary servicesPort Scanner →
Set up uptime monitoring and certificate expiry alertsSSL Checker →
Learn more about each topic
Free scan
Run a full security scan
Check all of the above automatically with a single scan of your domain.
Scan my domain →Tip: bookmark this page and revisit monthly to keep your security posture sharp.