Website Security Checklist for Developers: 50 Essential Checks

A comprehensive website security checklist covering authentication, input validation, API security, infrastructure hardening, and incident response. 50 actionable checks every developer should run before deploying to production.

Authentication and Authorization

Authentication confirms who a user is; authorization determines what they can do. Both must be implemented correctly. Use multi-factor authentication for all admin accounts and sensitive operations. Implement secure session management with httpOnly, Secure, SameSite cookies and short session timeouts. Never roll your own authentication — use established libraries and protocols (OAuth 2.0, OpenID Connect). Enforce password policies: minimum 12 characters, no common passwords, rate-limited login attempts. Implement role-based access control (RBAC) with least privilege — users should only access what they need. Always validate authorization server-side; hiding UI elements is not authorization.

Input Validation and Injection Prevention

Every input is an attack vector. Use parameterized queries for all database operations — there are no exceptions. Validate input on both client and server side, but server-side validation is mandatory. Implement Content Security Policy (CSP) headers to prevent XSS — start with a restrictive policy and relax as needed. Encode output contextually: HTML for web content, JavaScript for DOM insertion, URL for redirect parameters. Validate and sanitize file uploads: check file type by magic bytes, not extension; store uploads outside the web root; limit file size. Use CSRF tokens on all state-changing forms. Validate redirect destinations against a whitelist to prevent open redirects.

API Security

APIs are the backbone of modern applications and a primary attack surface. Implement rate limiting on all endpoints — use a sliding window algorithm and apply limits per user, not per IP. Validate all input with schema validation (Zod, Joi, or JSON Schema). Never expose internal error details to clients — return generic error messages and log details server-side. Require authentication on every endpoint except explicitly public ones. Use API keys or OAuth tokens, never pass credentials in URLs. Configure CORS restrictively — never use Access-Control-Allow-Origin: *. Implement request size limits and timeout thresholds. Version your APIs and plan for deprecation. Document your API with OpenAPI/Swagger specifications.

Infrastructure and Deployment

Security doesn't end at the application layer. Enforce HTTPS everywhere with HSTS headers and TLS 1.3 minimum. Set security headers: X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and Permissions-Policy to disable unused browser features. Scan dependencies in CI/CD with npm audit, Snyk, or Dependabot — block builds with critical vulnerabilities. Use container security scanning (Trivy, Grype) for Docker images. Implement Infrastructure-as-Code scanning (Checkov, tfsec) for cloud configurations. Store secrets in environment variables or a secrets manager, never in code or config files. Run regular dependency updates and patch critical CVEs within 48 hours.

Monitoring and Incident Response

You can't protect what you can't see. Implement centralized logging with structured formats — include timestamps, user IDs, IP addresses, and action types. Set up alerts for suspicious activity: multiple failed login attempts, unusual API call patterns, privilege escalation, and large data exports. Create and test incident response playbooks for common scenarios: data breach, ransomware, DDoS, compromised credentials, and insider threats. Conduct post-incident reviews after every security event — document what happened, what was missed, and what to improve. Regular penetration testing validates that your defenses actually work. Consider bug bounty programs for continuous security validation by external researchers.