The Essential Website Hardening Checklist
A practical, actionable checklist for securing your web infrastructure, focusing on low-effort, high-impact configuration changes.
Securing the Perimeter
Website hardening isn't always about zero-days or complex exploits. Most breaches occur because of simple misconfigurations, exposed services, or missing security headers.
Use this checklist to lock down your web infrastructure.
1. HTTP Security Headers
Headers instruct the browser on how to behave securely when interacting with your site.
- Strict-Transport-Security (HSTS): Enforces HTTPS connections, preventing downgrade attacks.
- Content-Security-Policy (CSP): Mitigates XSS attacks by restricting where scripts and assets can be loaded from.
- X-Frame-Options: Prevents clickjacking by controlling whether your site can be embedded in an iframe.
- X-Content-Type-Options: Prevents MIME-sniffing vulnerabilities (
nosniff).
2. TLS/SSL Configuration
Simply having a certificate is not enough.
- Disable old protocols (SSLv3, TLS 1.0, TLS 1.1). Require TLS 1.2 or TLS 1.3.
- Disable weak cipher suites.
- Ensure the certificate chain is complete and valid.
3. Email Authentication (DMARC, SPF, DKIM)
Protect your brand reputation and prevent attackers from spoofing your domain.
- SPF (Sender Policy Framework): Lists the IP addresses authorized to send email on behalf of your domain.
- DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to emails.
- DMARC: Instructs receiving servers what to do if SPF or DKIM fail (e.g., reject or quarantine).
4. Attack Surface Reduction
- Close unnecessary ports. Only HTTP (80) and HTTPS (443) should be exposed to the public internet for a standard web server.
- Hide admin panels (e.g., move
/wp-adminor place it behind a VPN). - Remove default files, test scripts, and installation directories.
5. Automated Auditing
You can't fix what you don't know is broken. Regularly audit your public-facing infrastructure. Exarlo automates this entire checklist — the scan runs in minutes and your report is emailed to you, guaranteed within 48 hours.
Find your vulnerabilities before attackers do.
Our automated $149 security audit maps your public attack surface and checks for misconfigurations, outdated components, and missing security headers.
Get Your Security Audit