Website Security Best Practices 2026: The Technical Checklist
CV Infotech audits web application security as part of every development project.
We do not add features to an insecure codebase. That position is stated on every service page. This guide is the reasoning behind it.
Most website security guides tell you to "use strong passwords." This one covers the technical controls that prevent SQL injection, XSS, CSRF, and the 10 most critical web application vulnerabilities the OWASP project tracks. Some sections are for developers. Some are for site owners. Both groups need to understand what the other is responsible for.
TL;DR — Quick Checklist:
- HTTPS: TLS 1.3 + HSTS. Every page.
- Authentication: MFA on all admin accounts. No default credentials. Session timeouts.
- SQL injection: Parameterised queries only. Never concatenate user input into SQL.
- XSS: Output encode all user data. Content Security Policy header.
- CSRF: Tokens on all state-changing requests. SameSite cookie attribute.
- Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
- Dependencies: Automated vulnerability scanning. Patch security issues within 48hrs.
- Backups: 3-2-1 rule. Test restores monthly. Offsite storage.
1. HTTPS and TLS — Encrypt Everything
What HTTPS does
HTTPS encrypts the connection between your server and the visitor's browser. Without it: passwords, session tokens, form submissions, and personal data are transmitted in plaintext and can be intercepted on shared networks. With it: the connection is encrypted and the server identity is verified.
TLS version matters
TLS 1.0 and 1.1 are deprecated and should be disabled. TLS 1.2 is acceptable. TLS 1.3 is the current standard — faster handshake, stronger cipher suites, and better forward secrecy. Check your TLS configuration with SSL Labs (ssllabs.com/ssltest) — target an A+ rating.
HTTP Strict Transport Security (HSTS)
HSTS tells browsers to only connect to your domain over HTTPS, even if a user types http://.
The preload directive submits your domain to browser preload lists — browsers refuse unencrypted connections before the first visit.
Mixed content
A page served over HTTPS that loads resources (images, scripts, fonts) over HTTP is "mixed content" — browsers block or warn on this. Audit with Chrome DevTools Console. Fix by updating all resource URLs to HTTPS.
2. Authentication — Who Gets In and What They Can Do
Multi-factor authentication
MFA should be mandatory for every admin, editor, and privileged account. A compromised password alone is not sufficient for access with MFA enabled. Use TOTP apps (Google Authenticator, Authy) over SMS — SIM swapping attacks can bypass SMS-based 2FA. Hardware keys (YubiKey) for highest-value accounts.
Password policy
Minimum 12 characters. Require a mix of character types. Check passwords against known breach databases (HaveIBeenPwned API). Never store passwords in plaintext. Use bcrypt, Argon2, or scrypt with an appropriate cost factor. Never email passwords. Send password reset links with short expiry (15-30 minutes).
Session management
Session tokens must be cryptographically random (128+ bits of entropy). Set appropriate expiry: shorter for admin sessions (1-4 hours), longer for public users. Invalidate sessions on logout — a "logout" that only clears a client-side cookie does not invalidate the server-side session and is vulnerable to token theft. Set cookies with Secure (HTTPS only), HttpOnly (no JavaScript access), and SameSite=Lax attributes.
Role-based access control
Users should have the minimum permissions required for their function. An editor should not have database deletion permissions. Verify access control on every server-side route — do not rely on hiding UI elements. Broken access control is the OWASP Top 10's #1 risk in 2021.
3. SQL Injection — Parameterise Everything
What SQL injection is
SQL injection happens when user-supplied input is concatenated into a database query. A malicious user can input SQL syntax that changes the query's meaning — reading data they should not access, modifying records, or deleting tables.
The wrong way (vulnerable)
The right way (parameterised)
Framework equivalents
- Laravel Eloquent:
User::where('email', $input)->first();— parameterised by default - Node.js/Sequelize:
User.findOne({ where: { email: input } });— safe by default - Python/SQLAlchemy:
session.query(User).filter_by(email=input).first();— safe - Raw SQL in any framework: use prepared statements, never string concatenation
What to audit
Any raw SQL query in your codebase. Search for string concatenation with user variables. Test with automated tools: OWASP ZAP, sqlmap (on your own applications only).
4. XSS and CSRF — Client-Side Attack Vectors
Cross-Site Scripting (XSS)
XSS injects malicious scripts into pages viewed by other users. A stored XSS attack: a comment form that accepts <script>alert(document.cookie)</script> and renders it without encoding — every user who views that page executes the attacker's code.
Prevention:
- Output encode: before rendering user-supplied data in HTML, encode special characters. React JSX does this automatically for {variable} expressions — but dangerouslySetInnerHTML bypasses it.
- Django templates auto-escape by default. Laravel Blade {{ $var }} is escaped; {!! $var !!} is not.
- Content Security Policy: restrict which scripts can execute on your pages.
Cross-Site Request Forgery (CSRF)
CSRF tricks an authenticated user into submitting a request to your application. Example: a malicious page contains <img src="https://yourbank.com/transfer?amount=1000&to=attacker">. If the user is logged into yourbank.com, the browser sends their cookies with this request.
Prevention:
- CSRF tokens: include a unique, unpredictable token in every state-changing form. The server validates the token before processing. Laravel, Django, Rails do this by default.
- SameSite cookie attribute: SameSite=Lax prevents cookies from being sent on cross-origin navigations.
- Double Submit Cookie pattern: for APIs without server-side session, compare the token in the cookie and the request body.
5. HTTP Security Headers — Browser-Enforced Protection
Security headers are HTTP response headers that tell the browser how to behave. They add a browser-enforced protection layer at zero performance cost. Add them at the web server level (nginx, Apache) or CDN (Cloudflare).
| Header | Value | Purpose |
|---|---|---|
| Strict-Transport-Security | max-age=31536000; includeSubDomains | Force HTTPS for 1 year |
| X-Frame-Options | DENY | Prevent clickjacking via iframe embedding |
| X-Content-Type-Options | nosniff | Prevent MIME type sniffing |
| Referrer-Policy | strict-origin-when-cross-origin | Limit referrer information sent |
| Content-Security-Policy | default-src 'self' | Restrict resource loading to own origin |
| Permissions-Policy | camera=(), microphone=() | Disable unused browser features |
Check your headers
Use securityheaders.com to scan your site and see which headers are missing. Target an A rating. An A+ requires HSTS with preload and a restrictive CSP.
6. Keep Dependencies Updated — Outdated Libraries Are Attack Surfaces
Why dependencies are a risk
The average web application depends on hundreds of third-party packages. Each package is a potential vulnerability. Log4Shell (CVE-2021-44228) and the Heartbleed OpenSSL vulnerability are examples of critical vulnerabilities in widely used libraries that exposed millions of applications. The time from vulnerability disclosure to active exploitation has shortened. Patch promptly — not on a quarterly schedule.
Automated scanning
- GitHub Dependabot: automatically opens PRs when dependencies have known vulnerabilities.
- npm audit: run on every npm install in your CI/CD pipeline.
- Snyk: comprehensive vulnerability scanning for npm, Composer, PyPI, and more.
- OWASP Dependency-Check: open-source tool for Java and .NET projects.
WordPress plugin management
WordPress plugin vulnerabilities are the most common attack vector for WordPress sites. Update plugins within 48 hours of a security release. Remove unused plugins — inactive plugins are still attack surfaces. Use the WPScan vulnerability database to check plugin security status.
7. WordPress-Specific Security
WordPress powers 43.5% of all websites — and attracts proportionally more attacks. WordPress core is secure when updated. The vulnerabilities are almost always in outdated plugins and themes, default configurations, and weak credentials.
Essential WordPress security checklist
- Update: WordPress core, all plugins, and all themes. Automate where possible.
- Remove the default "admin" username — create a new admin user with a unique name.
- Enable MFA on all admin accounts.
- Limit login attempts to prevent brute force attacks (Limit Login Attempts Reloaded).
- Change the default WordPress login URL from /wp-admin/ (reduces automated attacks).
- Set correct file permissions: 644 for files, 755 for directories, 600 for wp-config.php.
- Disable XML-RPC if not needed — it is a common brute force target.
- Install a security plugin (Wordfence, Sucuri) for malware scanning and firewall.
- Disable directory listing — ensure Options -Indexes is in your .htaccess.
See our WordPress security service for professionally managed WordPress security.
8. Backups and What to Do When Something Goes Wrong
The 3-2-1 backup rule
- 3 copies of your data.
- 2 different storage media or services.
- 1 copy offsite — in a different geographic location and a different account.
Ransomware attacks encrypt all drives accessible from the infected system. An offsite backup in a separate cloud account is not accessible to ransomware running on your web server.
Backup schedule
Database: daily minimum. Hourly for high-transaction sites. File system: weekly. After significant deployments. Test restores monthly — a backup you have not tested is not a backup. A backup that cannot be restored in under 4 hours is not adequate for a business.
Incident response — if your site is compromised
Step 1: Take the site offline. Put it in maintenance mode.
Step 2: Preserve logs. Do not delete anything before forensic review.
Step 3: Identify the attack vector. How did they get in?
Step 4: Remove malicious code. Scan all files and database content.
Step 5: Restore from a clean backup predating the compromise.
Step 6: Patch the vulnerability used for entry.
Step 7: Change all passwords — database, admin accounts, hosting, email.
Step 8: Report to affected users if personal data was exposed (GDPR, CCPA obligations).
Website Security — Frequently Asked Questions
Akash Singh
Co-Founder and CTO, Cyber Vision Infotech Pvt. Ltd.
Security is built into every CV Infotech project. We do not add features to an insecure codebase — this position is in the brief for every service page we have. Clutch 5.0 across 35 reviews. Freelancer 5.0 across 512 reviews.
Security Built In. Not Bolted On.
CV Infotech audits and fixes web application security issues. If you have a codebase with security debt, the audit starts with a discovery call. $30/hour. Written report before any remediation.