The Security Handoff Checklist Every Freelancer Should Ship

When a freelance project wraps up, most clients get a Figma file, some logins, and a cheerful invoice. What they rarely get — and what increasingly separates senior freelancers from cheap competition — is a proper security handoff. A site that launches with an A on SSL and a missing Content-Security-Policy is a ticking liability, and the freelancer's name is on it.

Below is the set of website security deliverables for freelance projects that I'd treat as non-negotiable on any build over $2,000. Most take under an hour to produce, and they dramatically reduce the chance of a 2am email six months after launch.

Why security belongs in your scope of work

Clients don't ask for security because they don't know to ask. That's not a reason to skip it — it's a reason to bake it into your standard scope. Two practical benefits:

• Liability shield. If a breach happens, documented deliverables prove you did due diligence.
• Upsell hook. A "Security & Hardening" line item at $300–$800 is rarely refused once you explain what's in it.

Put it in the proposal. Even a single line — "Includes security baseline configuration and post-launch scan report" — sets the expectation that this is part of professional work.

The core deliverables checklist

Here's the list I run through before signing off any project. Each item is a concrete artifact you can hand the client, not a vague promise.

1. SSL/TLS configuration report

The certificate working in a browser isn't enough. Check and document:

• TLS version (1.2 minimum, 1.3 preferred)
• Certificate expiry date and auto-renewal status
• HSTS header presence and max-age value
• Redirect chain from http:// to https:// with no mixed content

Deliverable: a one-page PDF or Notion doc with the SSL Labs grade screenshot and notes on what's configured.

2. Security headers audit

This is where most sites quietly fail. The headers you should explicitly set or justify omitting:

• Strict-Transport-Security
• Content-Security-Policy
• X-Frame-Options or frame-ancestors in CSP
• X-Content-Type-Options: nosniff
• Referrer-Policy
• Permissions-Policy

A scan with WebSentry gives you a graded breakdown of each header with the exact directive that's missing — paste the report into the handoff doc and you're done in two minutes.

3. Content-Security-Policy worth shipping

A CSP of default-src 'self' breaks every site that uses Google Fonts, Stripe, or analytics. A CSP of default-src * is theatre. The deliverable here is a tested policy that reflects the site's actual third-party dependencies.

1. List every external domain the site loads (fonts, scripts, images, iframes, analytics).
2. Start in Content-Security-Policy-Report-Only mode for a week.
3. Review violations, tighten, then switch to enforcing.

Hand over the final policy as a code snippet the client (or their next developer) can paste into Nginx, Cloudflare, or their framework config.

4. Cookie inventory

For any site touching EU or California users, you need a cookie list with:

• Cookie name, purpose, duration
• Secure, HttpOnly, and SameSite flags
• Whether it's strictly necessary or requires consent

This doubles as the source for the cookie banner config, so it's not wasted work.

5. DNS and email security records

If the client uses the domain for email — even just contact forms — missing records get their messages flagged as spam and let attackers spoof them. Verify and document:

• SPF — single record, lists all sending sources
• DKIM — set up for each sending service
• DMARC — at minimum p=none with a reporting address, ideally p=quarantine
• CAA — restricts which CAs can issue certs for the domain

6. CORS configuration notes

If the site has an API or fetches from one, document the allowed origins. A wildcard Access-Control-Allow-Origin: * combined with credentials is a vulnerability — flag it, fix it, note it.

7. Admin and access hygiene

Before handover:

• Remove your own admin accounts (or move to a documented "maintenance" account the client can disable)
• Force password reset for any shared credentials
• Enable 2FA on the CMS, host, registrar, and email
• Document where each credential lives (1Password, Bitwarden, etc.)

8. Backup and recovery documentation

A backup nobody knows how to restore isn't a backup. Deliver:

• Where backups are stored
• How often they run
• A written restore procedure — even three bullet points is fine

The post-launch scan report

The single most useful deliverable — and the one clients remember — is a graded scan report dated to the launch day. Run a full scan, export it, and attach it to the final invoice email.

This does three things:

1. Proves the site launched in good shape
2. Gives the client a benchmark to compare against later
3. Justifies an optional retainer for monthly re-scans

WebSentry's A–F grade across SSL, headers, CSP, cookies, DNS, and CORS makes this trivial to produce — the report is essentially the deliverable, no manual formatting needed.

Pricing and packaging

Three ways I've seen freelancers package this:

• Baked in — included in every build, no line item. Simplest, but you absorb the time.
• Add-on — $300–$800 "Security Hardening & Handoff" line item. Most clients accept it when itemised.
• Retainer — $50–$150/month for monthly scans and header updates as the site evolves. Works well for agencies managing 10+ client sites.

The handoff document template

Compile everything into one document with these sections:

1. Site overview (URL, stack, hosting)
2. SSL/TLS status
3. Security headers configured
4. CSP policy (annotated)
5. Cookie inventory
6. DNS records (SPF/DKIM/DMARC/CAA)
7. Access credentials and 2FA status
8. Backup location and restore steps
9. Launch-day scan report
10. Recommended re-scan cadence

Save it as a template once and you'll reuse 80% of it on every project.

If you want a fast way to generate the scan portion of this handoff, run the client's site through a free scan at websentry.dev — you'll get the A–F breakdown across every category above in about thirty seconds, ready to drop straight into your handoff doc.