Common Website Vulnerabilities Checklist: What to Check & Fix

A focused list of the most common, most preventable website vulnerabilities — most checkable and fixable within an afternoon.

📅 Published July 2026· ⏳ 11 min read· ✍️ ToolsNovaHub Editorial Team
Most website compromises don't involve exotic zero-day exploits — they exploit well-known, well-documented, entirely preventable gaps. This checklist focuses on the vulnerabilities that show up most often in real-world security audits, each with a concrete way to check for it.

Cross-Site Scripting (XSS)

Occurs when user-controllable input gets rendered back into a page without proper escaping, letting an attacker inject a malicious script that runs in other visitors' browsers. Check: does any input field, URL parameter, or comment system reflect content back onto the page unescaped? Fix: escape output based on context (HTML entity encoding for HTML content, JavaScript string encoding within scripts), and deploy a restrictive Content-Security-Policy as a critical second layer of defense.

Missing Security Headers

HSTS, CSP, X-Frame-Options, and related headers are free, zero-code-change defenses that a surprising number of sites simply never configure. Check: run your domain through our Security Headers Checker for an instant graded breakdown. Fix: add missing headers at the server or CDN configuration level — see our full Security Headers Explained guide.

Information Disclosure

Server banners, verbose error messages, and exposed debug endpoints can hand an attacker a roadmap of your stack and its potential weak points. Check: use our HTTP Headers Checker to see if Server/X-Powered-By headers reveal specific version numbers; check that error pages don't display stack traces or internal file paths in production. Fix: disable verbose errors in production, genericize or remove version-revealing headers.

Weak Authentication

Weak or reused passwords and missing two-factor authentication remain among the most common actual breach vectors, more so than sophisticated exploits. Check: does your admin panel enforce a reasonable password policy? Is 2FA available and required for accounts with write access? Fix: enforce strong password requirements and enable 2FA universally for privileged accounts — see our Password Generator for generating genuinely strong credentials.

Outdated Software & Plugins

Unpatched known vulnerabilities in CMS platforms, plugins, and libraries are actively, continuously scanned for by automated bots the moment a CVE is published. Check: review your CMS admin dashboard's plugin/theme update list, and check dependency management tools (npm audit, pip-audit, etc) for known vulnerable packages. Fix: establish a regular patching cadence rather than updating reactively only after an incident.

Cross-Site Request Forgery (CSRF)

Tricks an authenticated user's browser into submitting an unintended request to your site (like changing their password or making a purchase) by exploiting the fact that browsers automatically attach cookies to same-origin requests, even ones triggered from a malicious third-party page. Check: do state-changing forms (password change, fund transfer, settings update) include and validate a CSRF token? Fix: implement CSRF tokens on all state-changing requests, and set the SameSite cookie attribute to Lax or Strict as an additional defense layer.

Free Tools to Check Each Item

Vulnerability AreaFree Check
Security headers, HSTS, CSPSecurity Headers Checker
SSL/TLS certificate statusSSL Certificate Checker
Server/stack information disclosureHTTP Headers Checker
Combined overview across categoriesWebsite Security Scanner
Email spoofing exposureSPF Lookup & DKIM Lookup

For the full 20-point sitewide audit, see our Website Security Checklist.

FAQs

What is the most common preventable website vulnerability? +
Missing or misconfigured security headers and outdated, unpatched software are consistently among the most common — both entirely preventable with routine maintenance and free configuration changes.
What is Cross-Site Scripting (XSS) in simple terms? +
When user-controllable input gets rendered back into a page without proper escaping, letting an attacker inject a script that runs in other visitors' browsers.
How do I check if my site is vulnerable to CSRF? +
Check whether state-changing forms (password change, purchases, settings updates) include and server-side validate a CSRF token, and whether cookies use the SameSite attribute.
Does having HTTPS mean my site is fully secure? +
No — HTTPS protects data in transit and verifies server identity, but doesn't protect against application-layer vulnerabilities like XSS, CSRF, or weak authentication.
What's the fastest vulnerability check I can run today? +
Security Headers Checker and SSL Certificate Checker both give instant, actionable results in under a minute with no setup required.
Why is information disclosure considered a vulnerability if it's just data? +
Exposed version numbers and stack details give attackers a targeted roadmap of known vulnerabilities to try against your specific software versions, significantly narrowing their reconnaissance effort.
Is two-factor authentication really necessary for a small website? +
Yes — team or account size doesn't reduce the risk of credential stuffing or phishing; a single compromised password with no 2FA remains one of the most common real-world breach vectors regardless of site size.
How often should I check for outdated plugins or dependencies? +
Monthly at minimum, with immediate attention to any critical CVE announcements affecting software you use — automated dependency scanning tools can flag these continuously.
What does SameSite=Strict do for cookies? +
Prevents cookies from being sent on cross-site requests entirely, offering strong CSRF protection at the cost of occasionally breaking legitimate cross-site navigation flows that rely on cookies.
Can a combined security scan replace individual checks? +
It's a useful fast overview, but for genuine depth on any single category, use the dedicated standalone tool — a combined scanner intentionally trades some depth for breadth.
Is XSS still common in 2026 despite being a decades-old vulnerability class? +
Yes — it remains consistently among the most reported vulnerability classes in real-world security audits, largely due to inconsistent output escaping practices across the vast diversity of web applications in production.
What's the difference between XSS and CSRF? +
XSS involves injecting malicious script content that executes in a victim's browser; CSRF tricks a victim's authenticated browser into submitting an unwanted request, without necessarily injecting any script at all.
Should small websites worry about the same vulnerabilities as large enterprises? +
Yes — automated scanning bots don't discriminate by site size or traffic level; they scan indiscriminately across the entire internet for known, exploitable patterns.
How do I know if my error pages are leaking sensitive information? +
Deliberately trigger an error (like requesting a non-existent page or malformed input) in a staging environment and check whether the response reveals file paths, stack traces, or internal configuration details.
What's a reasonable timeframe to address items on this checklist? +
Most items — headers, SSL, basic information disclosure — are checkable and fixable within a single afternoon each using the free tools linked throughout this guide.
Explore All ToolsNovaHub Tools
🏠 Go to Homepage

🔗 More Guides