Security Audit Checklist A practical self-assessment covering 43 security controls across OWASP Top 10, authentication, encryption, API security, infrastructure, and compliance. Check off what you have covered — anything you cannot tick is a gap worth fixing.
Overall progress 0/45 checked
Access control is enforced server-side — no reliance on client-side checks Sensitive data (passwords, tokens, PII) is never stored or transmitted in plaintext All user inputs are validated and sanitized — no SQL/NoSQL/command injection possible Security requirements were considered during design — not bolted on after Default credentials changed, debug mode off, error messages don't leak internals All dependencies are tracked and free of known critical CVEs Login brute-force protection is in place — lockout or rate limiting Software integrity verified — no unsigned or tampered packages in the supply chain Security events (auth failures, access violations) are logged and monitored Server-side HTTP requests cannot be redirected to internal infrastructure (SSRF protected) Multi-factor authentication (MFA) enforced for all admin and privileged accounts Password hashing uses bcrypt, Argon2, or scrypt — not MD5 or SHA-1 Session tokens are cryptographically random with sufficient entropy (≥128 bits) Session cookies have HttpOnly, Secure, and SameSite=Strict/Lax flags set Sessions expire after inactivity and are invalidated on logout server-side No credentials, API keys, or secrets committed to source code or config files Password reset flows use time-limited, single-use tokens sent to verified email TLS 1.2 minimum enforced on all endpoints — TLS 1.0/1.1 and SSLv3 disabled TLS certificate is valid, not expired, and from a trusted CA HSTS header is set with a long max-age (≥1 year) and includes subdomains Sensitive data (PII, financial, health) is encrypted at rest in the database Secrets and API keys are stored in a vault or secrets manager — not plaintext env files No sensitive data (tokens, PII, passwords) appears in application logs Encryption keys are rotated and access to them is strictly limited Every API endpoint requires authentication — no unauthenticated data endpoints Authorization is enforced per-request — users cannot access other users' data Rate limiting is applied to all public-facing endpoints Input validation runs server-side for all API parameters and body fields CORS policy is restrictive — not wildcard (*) on credentialed requests API responses never include sensitive fields not needed by the client API versioning and deprecation policy is in place Firewall or WAF is configured and active on all production systems All unnecessary ports and services are closed or disabled Operating system and software patches are applied within 30 days of release Access logs are enabled and retained for at least 90 days Principle of least privilege applied — no accounts with more rights than needed SSH access uses key-based auth only — password SSH disabled Backups are encrypted, tested, and stored separately from production Privacy policy is current, accurate, and accessible to users Cookie consent is implemented — non-essential cookies require opt-in Data retention periods are defined and automatically enforced Data Processing Agreements (DPAs) signed with all sub-processors Users can request data export and deletion (GDPR Art. 15/17 rights) An incident response plan exists and has been tested Vendor risk assessments conducted for critical third-party services 45 items you could not check off?
Each gap is a real risk. Our security engineers will find the root cause and give you a prioritized remediation plan.
Book a security audit This checklist is based on OWASP Top 10 , GDPR requirements, and SOC 2 Trust Service Criteria. It is a self-assessment tool, not a substitute for a professional security audit.
