ChecklistWeb SecurityLaunch

Website Security Checklist: 15 Things to Check Before Launch

WebSentry Team
· · 10 min read

The Complete Pre-Launch Security Checklist

Launching a website without proper security is like building a house without locking the doors. Use this checklist to make sure your site is hardened before it goes live.

SSL/TLS Configuration

  • Valid SSL certificate installed — Use a trusted CA or free certs from Let's Encrypt
  • HTTP to HTTPS redirect — All HTTP requests 301-redirect to HTTPS
  • HSTS header enabled — With max-age of at least 1 year
  • TLS 1.2+ only — Disable TLS 1.0 and 1.1, they have known vulnerabilities
  • Strong cipher suites — Disable weak ciphers like RC4, DES, and 3DES

Security Headers

  • Content-Security-Policy — Restricts resource loading to prevent XSS
  • X-Content-Type-Options: nosniff — Prevents MIME type sniffing
  • X-Frame-Options: DENY — Prevents clickjacking
  • Referrer-Policy — Controls referrer data leakage
  • Permissions-Policy — Restricts access to browser APIs

Authentication & Session Management

  • Secure password hashing — Use bcrypt, scrypt, or Argon2 (never MD5/SHA1)
  • Session cookies are HttpOnly and Secure — Prevent JavaScript access and ensure HTTPS transmission
  • CSRF protection — Use anti-CSRF tokens on all forms
  • Rate limiting on login — Prevent brute-force attacks
  • Account lockout policy — Lock accounts after repeated failed attempts

Input Validation & Data Protection

  • All user input is validated and sanitized — Server-side, never just client-side
  • Parameterized database queries — Prevent SQL injection
  • File upload restrictions — Validate type, size, and scan for malware
  • Sensitive data encrypted at rest — Encrypt PII and credentials in your database

Server & Infrastructure

  • Server software version hidden — Remove X-Powered-By and Server headers
  • Directory listing disabled — Prevent browsing your file structure
  • Debug mode disabled — No stack traces or error details in production
  • Backup strategy in place — Regular automated backups stored off-site
  • DDoS protection — Use a CDN like Cloudflare for DDoS mitigation

DNS Configuration

  • DNSSEC enabled — Prevents DNS spoofing attacks
  • CAA records set — Restricts which CAs can issue certificates for your domain
  • SPF, DKIM, and DMARC for email — Prevents email spoofing

Automate Your Security Checks

Manually checking all of this is tedious. WebSentry automates the process — scan any URL and get an instant security grade covering SSL, headers, cookies, DNS, and server configuration.

Set up scheduled monitoring to automatically re-scan your sites and get alerted when your security grade drops.

Check Your Website's Security

Run a free security scan and get your A-F grade in seconds.

Scan Your Site Free
← Previous
What Is HSTS and Why Your Website Needs It in 2026
Next →
Content Security Policy (CSP) Explained: A Complete Beginner's Guide