Website Security Audit Checklist: SSL, DNS, Headers, and Secrets

Published December 8, 2025 · 7 min read

Website Security Audit Checklist

Use this short checklist to cover the core surfaces before incidents reach users.

SSL and HTTPS

Check expiry and issuer with at least 30 days of buffer
Confirm SAN coverage for apex and www
Enforce HTTPS redirects for root and deep links

DNS Health

SPF lists only trusted senders and stays under 10 lookups
DKIM selectors are present and aligned
DMARC policy is at least quarantine in production
DNSSEC and CAA are enabled
MX records point to live hosts with TLS

Security Headers

HSTS with includeSubDomains when ready
CSP restricts scripts to trusted origins
X-Frame-Options or frame-ancestors to block clickjacking
X-Content-Type-Options, Referrer-Policy, and Permissions-Policy set

Reputation and Blacklists

Check Spamhaus, SURBL, URIBL, SpamCop, and URLhaus
Resolve and scan IPs tied to your domain

Exposed Secrets and API Docs Risks

Scan public JS for keys and tokens
Review docs and debug paths on your own systems, like /swagger and /graphql

Run it all at once: The DomainOptic audit bundles SSL, DNS, headers, blacklist, and secret checks in a single scan. Ghost API Hunter is disabled until domain ownership verification and paid access are available. Run full security audit → Run a security audit