Website security checklist
Use this as a rolling hardening list. Each cluster links to focused guides and tools in the ExposureGrid library.
Step 1
Content Security Policy (CSP)
- Directives vs wildcards
- Nonces, hashes, and strict-dynamic rollout
- Report-only modes and CSP reporting endpoints
- Avoiding unsafe-inline / blob / overly broad sources
Step 2
Advanced CORS
- Origin reflection and credentialed reflection
- Vary: Origin when origins vary per request
- Tight methods, headers, and exposed header lists
Step 3
Cookie security
- Secure + HttpOnly + SameSite patterns
- __Host- / __Secure- prefixes
- Domain and path scoping
Step 4
TLS & certificate governance
- Chain completeness
- Hostname / SAN coverage
- Forward secrecy and weak suites
- CT and OCSP signals
Step 5
DNS governance
- CAA and delegation hygiene
- Dangling records and wildcards
- Apex vs www consistency
- NXDOMAIN / SERVFAIL handling
Step 6
Mail authentication
- SPF lookup limits and include chains
- DKIM selectors and key strength
- DMARC alignment and reporting
Step 7
HTTP transport & canonicalization
- HTTP→HTTPS upgrades
- Redirect chains and loops
- Mixed content and canonical hosts
Step 8
Open ports & services
- Remote access protocols
- Databases and cache ports
- Dev or alt-HTTP listeners
- Banner and version signals
Step 9
Sensitive files & paths
- .env, backups, dumps, configs
- Source maps and directory listings
- robots.txt and sitemap path hygiene
Step 10
Admin & management interfaces
- MFA, rate limits, and network restrictions
- Swagger / GraphQL consoles
- API docs reachable from prod
Step 11
Origin, CDN & WAF posture
- Origin IP leakage
- Direct-origin vs edge-only assumptions
- WAF / CDN bypass patterns
- Cache edge risks
Step 12
Asset inventory & subdomains
- New or stale hostnames
- Shadow IT hints
- Bringing orphaned hosts under ownership
Step 13
Subdomain takeover
- Dangling aliases and provider fingerprints
- Reclaim vs remove DNS
- Inconclusive signals — verify manually
Step 14
Cloud storage exposure
- Public ACLs vs object indexes
- Domain-linked buckets
- Listing enabled mistakes
Step 15
Secrets & sensitive fragments
- Rotate — never replay raw values
- Bundles, env leaks, OAuth material
- Pattern-only hits need manual review
Step 16
Phishing & impersonation signals
- Lookalikes and typos
- Brand impersonation wording
- Email + web corroboration cautiously
Step 17
Cross-signal correlation
- Compounding exposures
- Email + DNS + web paths
- Posture drift and regressions
Step 18
Scan coverage & confidence
- Partial scans and blocked probes
- Low confidence ≠ safe
- Re-run after fixes or infra changes
Step 19
Run focused tools
- CSP analyzer
- Port checker
- Subdomain scanners
- Storage and secrets probes (plan-aware)
Verify with a scan
Automated checks complement this checklist — they scale across routes and catch drift after deploys.