The Complete Website Security Checklist for 2026
A 40-point security checklist covering HTTPS, security headers, authentication, input validation, dependency management, and monitoring — for any website or web application.
Transport security (must-haves)
HTTPS on all pages, HSTS header configured, TLS 1.2+ enforced, HTTP to HTTPS redirect, valid certificate with auto-renewal. These are non-negotiable in 2026.
Security headers
Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security, Referrer-Policy, Permissions-Policy. Missing any of these is a finding in every security audit.
Get your security score in 10 seconds.
UebGuard runs this checklist against your domain automatically and shows you exactly what to fix.
No credit card required. Results in 10 seconds.
Authentication security
Rate limiting on login endpoints, account lockout after failed attempts, CSRF protection on state-changing forms, secure session cookies (HttpOnly, Secure, SameSite), multi-factor authentication support.
Input validation and injection prevention
Parameterized queries (never string-concatenated SQL), output encoding for user-generated content, file upload type validation, request size limits, and JSON schema validation on API inputs.
Dependency and infrastructure
Automated dependency vulnerability scanning, no default credentials on any service, debug mode disabled in production, server version headers suppressed, error pages that don't leak stack traces.
Get your security score in 10 seconds.
UebGuard runs this checklist against your domain automatically and shows you exactly what to fix.
No credit card required. Results in 10 seconds.