The Freelance Web Developer Security Checklist Clients Expect

When you're a freelancer, security isn't just a technical concern — it's a liability one. If a client's site gets defaced, leaks customer data, or fails a penetration test after launch, the conversation gets uncomfortable fast. Most freelancers I know don't have a formal handover process for security, and that's exactly where issues slip through.

This is the checklist I'd hand to any freelance developer shipping client work. It's grouped by area, with the specific configs and gotchas that actually matter in production.

1. Transport Layer: SSL/TLS Done Properly

HTTPS isn't a checkbox anymore — the configuration details matter. A green padlock can still hide weak ciphers and missing HSTS.

• Force HTTPS with a 301 redirect from http:// to https:// at the server or CDN level.
• Enable HSTS with a sensible max-age: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
• Disable TLS 1.0 and 1.1. Only TLS 1.2 and 1.3 should be enabled.
• Check certificate chain — intermediate certs are a common cause of mobile browser errors that desktop Chrome hides.
• Auto-renew with Let's Encrypt or your host's managed certs. Set a calendar reminder anyway.

Quick verification

Run an SSL Labs test or a WebSentry scan before handover. If you're not getting at least an A on the SSL section, fix it before invoicing.

2. Security Headers: The Free Wins

Security headers cost nothing to add and block a huge class of attacks. There's no excuse for missing them on a production site.

The minimum set I add to every project:

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()

For Nginx, drop these in your server block. For Apache, use Header set in your virtual host. For Cloudflare or Netlify, use Transform Rules or a _headers file.

3. Content Security Policy

CSP is the header most developers skip because it's annoying to configure. Do it anyway — it's the single most effective defence against XSS.

A starting CSP for a typical client site

Content-Security-Policy: default-src 'self'; script-src 'self' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'

Start in report-only mode (Content-Security-Policy-Report-Only) for a week, watch the console, then enforce. Avoid 'unsafe-inline' on scripts — use nonces or hashes for the few inline scripts you can't remove.

4. Cookies and Session Handling

Cookie flags are still missed in half the sites I audit. Every cookie you set should have:

• Secure — only sent over HTTPS
• HttpOnly — inaccessible to JavaScript (for session cookies)
• SameSite=Lax or Strict — CSRF protection

If you're using WordPress, Laravel, or any framework, check the actual headers in DevTools rather than trusting the docs. Plugins and middleware often override defaults.

5. DNS and Email Authentication

DNS is the layer freelancers forget because "the client manages it." Push back. If their domain gets spoofed in a phishing campaign, you'll be the one explaining.

• SPF record listing legitimate mail senders
• DKIM signing enabled at the mail provider
• DMARC policy, at minimum v=DMARC1; p=quarantine; rua=mailto:dmarc@client.com
• CAA record restricting which CAs can issue certs for the domain
• DNSSEC where the registrar supports it

6. CORS: Don't Wildcard Production

CORS misconfigurations are everywhere. The two patterns that get sites in trouble:

1. Access-Control-Allow-Origin: * combined with credentials or sensitive endpoints
2. Reflecting the Origin header back without an allowlist

For any API endpoint, maintain an explicit allowlist of origins. If your client-side app only talks to its own backend, you probably don't need CORS headers at all.

7. Authentication and Admin Surfaces

• Force strong passwords and offer 2FA on any admin login (WordPress, Ghost, custom dashboards).
• Rename or rate-limit /wp-admin, /admin, /login paths.
• Disable XML-RPC on WordPress unless explicitly needed.
• Lock down file upload endpoints — validate MIME types server-side, not just the extension.
• Set up fail2ban or equivalent on any SSH access.

8. Dependencies and Supply Chain

Most breaches in 2024 came through outdated dependencies, not zero-days. Make this part of your handover:

• Run npm audit, composer audit, or equivalent before deployment.
• Pin versions in lockfiles and commit them.
• Document the update cadence — monthly minor versions, immediate patches for critical CVEs.
• If the client is on a maintenance retainer, schedule quarterly dependency reviews.

9. Backups and Recovery

Security isn't only prevention. Assume something will go wrong:

• Automated daily database backups, stored off the production server
• Weekly full-site backups with at least 30 days of retention
• A documented restore process you've actually tested
• Version control for all code, even quick client tweaks

10. The Handover Document

The thing that separates a freelancer from a professional studio is documentation. For every project, produce a one-page security summary covering:

1. SSL configuration and renewal process
2. Headers and CSP in place
3. Admin credentials and 2FA setup
4. Backup location and restore steps
5. Dependency update plan
6. An expiry date for the security review (six months is reasonable)

This document does two things: it protects you legally, and it justifies a maintenance retainer when the review date arrives.

Running the Final Check

Before you mark a project complete, run an automated scan. WebSentry gives you an A–F grade across SSL, headers, CSP, cookies, DNS, and CORS in under a minute — exactly the categories in this checklist. If anything below a B comes back, fix it before you invoice.

You can run a free scan at websentry.dev and attach the report to your handover. Clients love a tangible grade, and it gives you proof that the site shipped secure on day one.