Web Security Checklist for Developers

Why Web Security Cannot Be an Afterthought

Every web application is a target. Automated bots scan the internet 24/7 looking for vulnerabilities to exploit. SQL injection, cross-site scripting (XSS), broken authentication, and data exposure are not theoretical risks; they are daily occurrences that affect applications of all sizes. This checklist covers the most important security measures every web developer should implement.

HTTPS and Transport Security

• Use HTTPS everywhere: Every page, every API endpoint, every resource. There is no valid reason to serve anything over plain HTTP in 2025. Free certificates from Let's Encrypt make cost a non-issue.
• Redirect HTTP to HTTPS: Configure your server to 301-redirect all HTTP requests to HTTPS
• Enable HSTS: The Strict-Transport-Security header tells browsers to always use HTTPS, preventing downgrade attacks
• Check your SSL configuration: Use the SSL Checker to verify your certificate is valid, not expired, and properly configured
• Use strong TLS versions: Disable TLS 1.0 and 1.1. Only allow TLS 1.2 and 1.3

Security Headers

HTTP security headers are your first line of defense against many attacks. Add these to every response:

• Content-Security-Policy (CSP): Controls which resources the browser is allowed to load. Prevents XSS by restricting inline scripts and specifying allowed script sources
• X-Content-Type-Options: Set to nosniff to prevent MIME type sniffing
• X-Frame-Options: Set to DENY or SAMEORIGIN to prevent clickjacking
• Referrer-Policy: Set to strict-origin-when-cross-origin to control what information is sent in the Referer header
• Permissions-Policy: Restrict access to browser features like camera, microphone, and geolocation

Authentication and Session Management

• Hash passwords properly: Use bcrypt, scrypt, or Argon2id. Never use MD5 or SHA-256 alone for password storage. Use the Hash Generator to understand the difference between hashing algorithms.
• Enforce strong passwords: Require minimum 12 characters. Use the Password Strength Checker logic as a reference for password policies.
• Implement rate limiting: Limit login attempts to prevent brute-force attacks (e.g., 5 attempts per minute per IP)
• Use secure session cookies: Set HttpOnly, Secure, SameSite=Strict, and appropriate expiration
• Implement CSRF protection: Use anti-CSRF tokens for all state-changing requests
• Support 2FA: Offer TOTP-based two-factor authentication for sensitive accounts

Input Validation and Output Encoding

• Validate all input server-side: Client-side validation is for UX only. All input must be validated again on the server.
• Use parameterized queries: Never concatenate user input into SQL queries. Use prepared statements or an ORM to prevent SQL injection.
• Encode output: HTML-encode all user-generated content before rendering it in the browser. The HTML Entity Encoder demonstrates how special characters are encoded to prevent XSS.
• Validate file uploads: Check file types server-side (not just the extension), limit file sizes, and never serve uploaded files from the same domain.
• Sanitize Markdown and rich text: If you accept formatted content, use a whitelist-based sanitizer to remove dangerous HTML tags and attributes.

API Security

• Authenticate every request: Use JWT tokens or API keys for all API endpoints. Validate tokens properly, including expiration and signature. Test your JWT handling with the JWT Decoder.
• Implement rate limiting: Protect APIs from abuse with request throttling per API key or IP
• Use CORS correctly: Only allow specific origins, not * in production. Configure allowed methods and headers explicitly.
• Validate request bodies: Use schema validation (JSON Schema, Zod, Joi) to reject malformed requests early
• Version your API: So you can deprecate insecure endpoints without breaking existing clients

Data Protection

• Encrypt sensitive data at rest: Database fields containing personal information, API keys, or tokens should be encrypted
• Minimize data collection: Only collect and store data you actually need. The less data you have, the less damage a breach can cause.
• Implement proper logging: Log security-relevant events (failed logins, permission changes) but never log passwords, tokens, or personal data
• Plan for breach response: Have a documented plan for what to do when (not if) a security incident occurs

Dependency Security

• Audit dependencies regularly: Run npm audit or pip audit and fix vulnerabilities promptly
• Pin dependency versions: Use lockfiles to ensure reproducible builds and prevent supply chain attacks
• Monitor for CVEs: Use automated tools like Dependabot or Snyk to get alerts for known vulnerabilities in your dependencies
• Minimize dependencies: Every dependency is a potential attack vector. Only use packages you truly need.

DNS and Domain Security

Verify your domain's DNS configuration regularly using the DNS Lookup tool. Check that MX records, SPF, and DKIM are properly configured to prevent email spoofing. Monitor your domain's SSL certificate expiration with the SSL Checker.

Conclusion

Web security is a continuous process, not a one-time task. Use this checklist as a starting point, and revisit it regularly as your application evolves. Automate as much of your security testing as possible, keep dependencies updated, and always assume user input is malicious. The tools on UtiliTools can help you test and validate many of these security measures in your development workflow.