Website Security Checklist: 20 Things to Check in 2026
Twenty concrete, checkable items covering certificates, DNS, email authentication, and HTTP headers — most fixable in under an hour, all free to verify.
📅 Published July 2026·
⏳ 12 min read·
✍️ ToolsNovaHub Editorial Team
Website security audits often turn into vague advice about 'staying vigilant.' This checklist skips the vague part — every item below is something you can concretely check today, in most cases with a free tool, and fix within the same afternoon.
📑 Table of Contents
Transport & Certificates
- Certificate isn't expired or expiring soon. Check with our SSL Certificate Checker — fix anything under 15 days remaining immediately.
- HTTPS is enforced everywhere, not just the homepage. Every page, including old blog posts and legacy URLs, should redirect HTTP to HTTPS.
- HSTS header is present. Without it, the initial HTTP request before redirect remains a downgrade-attack window.
- No mixed content warnings. Images, scripts, or stylesheets still loaded over HTTP on an HTTPS page trigger browser warnings and can be blocked outright.
- Certificate covers all subdomains in use. A wildcard or multi-SAN certificate should list every active hostname — check via SSL Certificate Checker's SAN list.
HTTP Security Headers
- Content-Security-Policy is present and actually restrictive. Having the header with a wildcard source barely counts — verify it's scoped meaningfully using our Security Headers Checker.
- X-Frame-Options or CSP frame-ancestors is set. Prevents clickjacking via iframe embedding.
- X-Content-Type-Options: nosniff is present. A one-line, zero-cost header with no reason to skip it.
- Referrer-Policy isn't leaking full URLs cross-origin. strict-origin-when-cross-origin is a safe, widely-compatible default.
- Server / X-Powered-By headers don't overshare. Minor hardening step — reduces information available to an attacker fingerprinting your stack.
Email Authentication
- SPF record exists and stays under 10 DNS lookups. Check with our SPF Lookup tool — exceeding the limit causes a PermError many receivers treat as failure.
- DKIM is configured for every sending source. Not just your primary mail provider — marketing platforms, transactional email services, and CRM tools all need their own DKIM setup. Verify with our DKIM Lookup tool.
- DMARC record exists, ideally at enforcement. p=none only monitors; p=quarantine or p=reject actually blocks spoofed mail.
- MX records point to the correct, current mail provider. Stale MX records after a provider migration can silently misroute inbound mail.
DNS & Domain
- Domain registration hasn't lapsed or auto-renew is confirmed on. An expired domain is a far bigger outage than an expired certificate.
- DNSSEC is enabled if your registrar supports it. Protects against DNS cache poisoning and spoofing attacks.
- No orphaned DNS records pointing to decommissioned services. Old CNAME records pointing to a deprovisioned cloud resource can be hijacked by an attacker who claims that resource name.
Access & Infrastructure
- Admin panels aren't reachable from the open internet unnecessarily. IP allow-listing or a VPN requirement significantly reduces brute-force exposure.
- All accounts with write access use strong, unique passwords and 2FA. Credential stuffing remains one of the most common breach vectors.
- Software, plugins, and CMS core are on supported, patched versions. Unpatched known vulnerabilities are actively scanned for by automated bots continuously.
Priority Order
If you can only tackle a few items this week, start here: (1) confirm certificate isn't expiring soon, (2) confirm HTTPS/HSTS is enforced everywhere, (3) add a real Content-Security-Policy in report-only mode first, (4) verify SPF/DKIM/DMARC for every sending source, (5) enable 2FA on every account with write access. These five alone close the majority of realistic attack paths for a typical website.
FAQs
How often should I run a website security checklist? +
A full pass quarterly is reasonable for most sites, plus an immediate re-check after any hosting, CDN, DNS, or major software change.
What's the single highest-priority item on this checklist? +
Confirming your SSL certificate isn't expiring soon, since an expired certificate causes an immediate, visible outage for every visitor — unlike most other items, which are more gradual risk reduction.
Do I need all of SPF, DKIM, and DMARC, or just one? +
All three, ideally. They protect different things and Google/Yahoo now effectively require all three configured for reliable bulk email deliverability.
Is DNSSEC necessary for a small website? +
It adds meaningful protection against DNS spoofing for relatively little setup effort if your registrar supports it, though it's a lower priority than certificate and header basics for most small sites.
What is mixed content and why does it matter? +
When an HTTPS page loads a resource (image, script, stylesheet) over plain HTTP, browsers flag or outright block it, since that resource wasn't protected by encryption even though the page itself was.
Can I check all these items using free tools? +
Yes — SSL certificate status, security headers, SPF, DKIM, and DNS records can all be checked with ToolsNovaHub's free tools without any paid service or software installation.
What is the risk of an orphaned DNS record? +
If a CNAME or similar record points to a cloud resource (like an S3 bucket or CDN endpoint) that's been deleted, an attacker can sometimes claim that same resource name and effectively take over your subdomain.
Should small websites worry about clickjacking? +
Yes — clickjacking doesn't require a high-value target, just a page with clickable actions (forms, buttons, login) that an attacker can trick a visitor into activating unknowingly.
How do I know if my CSP is actually restrictive enough? +
Run it through our Security Headers Checker — a policy using broad wildcards like script-src * technically has CSP present while providing minimal real protection.
What is the fastest fix on this entire checklist? +
Adding X-Content-Type-Options: nosniff — it's a single header line with essentially zero risk of breaking anything, unlike CSP which needs careful testing.
Does using a CDN cover most of these items automatically? +
Some CDNs offer one-click security header presets and automatic certificate management, but you still need to verify they're actually enabled and correctly configured for your specific domain.
How do I check for expired or unused plugins on my CMS? +
Most CMS admin dashboards (WordPress, Joomla, etc.) flag outdated plugins directly — review this list monthly and remove anything genuinely unused rather than just leaving it deactivated.
Is 2FA really necessary for a small team? +
Yes — team size doesn't reduce the risk of credential stuffing or phishing; a compromised single password with no 2FA is one of the most common ways small sites get breached.
What's a reasonable timeframe to fix everything on this checklist? +
Most items are fixable within a single afternoon per category — certificates and headers especially, since both have free instant-checking tools with clear, actionable fixes.
Should I hire a security professional instead of doing this myself? +
For a straightforward marketing site or blog, this checklist covers the highest-impact basics yourself. For anything handling sensitive user data, payments, or at meaningful scale, a professional audit adds real value beyond this baseline.
Explore All ToolsNovaHub Tools
🏠 Go to Homepage