← Back to Blog
Security·2026-04-03·8 min

The Website Security Audit Checklist Your Dev Team Is Skipping

Most security audits miss the same things. Here's what to actually check — and why automated scanners aren't enough.

Most businesses treat security audits like oil changes — something you do once a year because someone said you should. The result is a PDF full of scanner output that nobody reads and nothing changes.

A real audit is adversarial. You're asking: "If I wanted to break this, how would I do it?" Here's the checklist we use internally.

Authentication & Session Management

Start here because it's where most breaches begin.

  • Password policies: Are you enforcing complexity, or just minimum length? Length matters more than complexity — a 16-character passphrase beats an 8-character symbol soup every time.
  • Session tokens: Are they rotated after login? Do they expire? Can they be reused after logout? Test by capturing a token, logging out, and replaying it.
  • MFA implementation: If you have it, test bypass scenarios. SMS-based MFA is better than nothing but vulnerable to SIM swapping. TOTP or WebAuthn are stronger.
  • Rate limiting on login: Can an attacker spray credentials at your login endpoint without getting blocked? If there's no lockout or exponential backoff, you have a problem.

Input Validation & Injection

Automated scanners catch the obvious stuff. Manual testing catches what matters.

  • SQL injection: Test every form field, URL parameter, and API endpoint. Use single quotes, UNION SELECT statements, and time-based blind injection payloads. If your ORM handles parameterization, verify it actually does — don't assume.
  • XSS (Cross-Site Scripting): Reflected, stored, and DOM-based. Test user-controlled output everywhere: profile fields, comments, search results, error messages. CSP headers reduce impact but don't eliminate the vulnerability.
  • Command injection: If your application calls system commands, test for shell metacharacters in every input that touches those paths.
  • Path traversal: Can you access files outside the intended directory? Test with ../ sequences in file upload and download endpoints.

API Security

Your API is your attack surface. Treat it accordingly.

  • Authentication on every endpoint: Don't assume the frontend will only call authorized endpoints. Test each API route directly with cURL or Burp Suite.
  • Broken Object Level Authorization (BOLA): Can user A access user B's data by changing an ID in the request? This is the #1 API vulnerability and scanners rarely catch it.
  • Rate limiting: Can someone enumerate your entire user base through your API? If there's no rate limit on search or listing endpoints, the answer is yes.
  • Error messages: Do your API errors leak implementation details? Stack traces, database names, or internal IPs in error responses are free reconnaissance for an attacker.

Infrastructure

The application might be solid, but the infrastructure underneath it can undermine everything.

  • TLS configuration: Check for outdated protocols (TLS 1.0/1.1), weak cipher suites, and certificate chain issues. Use testssl.sh for a thorough check.
  • HTTP security headers: X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, Strict-Transport-Security. Missing headers are low-hanging fruit.
  • DNS configuration: SPF, DKIM, and DMARC for email security. DNSSEC if your registrar supports it. CAA records to restrict certificate issuance.
  • Exposed services: Run a port scan against your production infrastructure. Every open port is an attack surface. If you're running Redis, Elasticsearch, or a database on a public interface, fix that immediately.

What Scanners Miss

Automated tools are useful for coverage but they fundamentally can't test business logic. They won't find:

  • Authorization bypasses that require understanding your role model
  • Race conditions in payment or inventory systems
  • Logic flaws in multi-step workflows
  • Chained vulnerabilities where each individual finding is low severity but together they're critical
This is where manual security testing adds value — you need a human who thinks like an attacker, not a tool that checks a list.

When to Run This

Quarterly is ideal. After every major release is minimum. If you're deploying continuously and not testing continuously, you're accumulating risk faster than you realize.

The checklist above isn't exhaustive, but it covers what we see missed most often. If you want a professional assessment, get in touch.

Need help with this?

Our team can assess your specific situation and provide actionable recommendations.

Get in Touch