Free 50-Point Security Audit Checklist

What's Inside the Checklist

• CSP headers configured correctly
• HSTS header present with max-age ≥ 1 year
• X-Frame-Options set to DENY/SAMEORIGIN
• X-Content-Type-Options: nosniff
• Referrer-Policy configured
• Permissions-Policy implemented
• All cookies have Secure + HttpOnly flags
• SameSite cookie attribute set
• SQL injection tested on all inputs
• XSS reflected/stored/DOM tested
• CSRF tokens on state-changing requests
• Rate limiting on login endpoints
• Account lockout after 5 failed attempts
• MFA available for all users
• Password minimum length ≥ 8 characters
• Password complexity rules enforced
• TLS 1.2+ only, weak ciphers disabled
• SSL certificate valid and trusted
• HTTP → HTTPS redirect enforced
• Directory listing disabled
• No default credentials in use
• Error messages don't leak stack traces
• File upload validates type + size
• CORS configured restrictively
• API authentication on all endpoints
• PII not logged or exposed in responses
• Data retention policy documented
• Consent mechanism present (DPDP)
• Data deletion workflow exists
• Privacy policy linked on every page
• Grievance officer details published
• SRI hashes on third-party scripts
• NPM dependencies audited (no CVEs)
• Container images scanned for vulns
• CI/CD pipeline uses signed commits
• Server-side input validation on all APIs
• Output encoding to prevent XSS
• Parameterized queries / ORM for DB
• Session timeout after 30 minutes idle
• JWT tokens with expiry + refresh flow
• No secrets in client-side code
• Firewall blocks unnecessary ports
• DDoS protection enabled (Cloudflare/WAF)
• Database backups encrypted
• Audit logging for all auth events
• Monitoring alerts configured
• Incident response plan documented
• Third-party integrations reviewed
• Payment gateway VAPT completed
• Cross-browser testing done