Website Security Checklist
Server & Infrastructure
- HTTPS with valid SSL certificate
- Firewall configured and active
- Regular backups (daily, stored offsite)
- Server software updated to latest versions
- SSH keys instead of passwords for server access
Application Security
- Input validation on all user inputs
- SQL injection prevention (parameterized queries)
- XSS protection (output encoding)
- CSRF tokens on all forms
- Rate limiting on login and API endpoints
- Secure headers (CSP, X-Frame-Options, HSTS)
Authentication
- Strong password requirements enforced
- Password hashing (bcrypt, not MD5/SHA)
- Account lockout after failed attempts
- Two-factor authentication for admin accounts
- Session management with secure cookies
Data Protection
- Encrypt sensitive data at rest
- Minimal data collection (only what you need)
- Regular data cleanup of old records
- Access controls - least privilege principle
- GDPR/privacy compliance if applicable
Monitoring
- Error logging and alerting
- Uptime monitoring (UptimeRobot, Pingdom)
- Security scanning (monthly)
- Dependency auditing (npm audit)
Build a secure website with security best practices built in.