The Website Security Checklist Every Business Needs in 2026

Most websites are insecure not because security is hard, but because nobody made a checklist. These twenty-three items prevent 95% of real-world attacks. None of them require a security specialist — your developer should be doing all of them already.

Authentication and sessions

1. Passwords hashed with bcrypt or argon2 (never MD5/SHA1).
2. Rate limiting on login endpoint (5 attempts per minute).
3. 2FA available, mandatory for admin accounts.
4. Session cookies HttpOnly, Secure, SameSite=Lax.
5. Sessions invalidated on password change and logout.
6. Password reset tokens expire in 30 minutes.

Input validation

7. All user input validated server-side (client validation is UX, not security).
8. SQL injection prevented via parameterized queries / Eloquent / Prisma.
9. XSS prevented via proper output encoding.
10. CSRF tokens on all state-changing requests.
11. File uploads scanned, type-checked, size-limited, stored outside web root.

Transport and storage

12. HTTPS everywhere with HSTS preload.
13. TLS 1.2 minimum (1.3 preferred).
14. Sensitive data encrypted at rest.
15. Secrets in environment variables, never in code.
16. Database backups encrypted and tested quarterly.

Headers and policies

17. Content-Security-Policy header configured.
18. X-Content-Type-Options: nosniff.
19. X-Frame-Options: SAMEORIGIN.
20. Referrer-Policy: strict-origin-when-cross-origin.

Operational

21. Dependencies updated monthly. Use Dependabot or Renovate.
22. Logs structured and shipped to a separate system (logs are evidence in a breach).
23. Incident response plan written before you need it.

If your site fails any of these, book a security review. I deliver a written report with prioritized fixes within 1 week.