Web App Security Audit Checklist (2026)
The complete pre-launch security checklist. Run through this before you share your app publicly — it covers the vulnerabilities that actually get exploited.
Authentication & Session Management
- ☐Passwords are hashed with bcrypt, Argon2, or scrypt (never MD5 or SHA1)
- ☐Session tokens are cryptographically random (not sequential IDs)
- ☐Sessions expire after inactivity (30–60 minutes for sensitive apps)
- ☐Logout invalidates the session server-side, not just client-side
- ☐Password reset tokens are single-use and expire within 1 hour
- ☐Rate limiting on login endpoints (prevent brute force)
- ☐Account lockout after N failed attempts
- ☐MFA available for sensitive accounts
Authorization & Access Control
- ☐Every API endpoint checks authentication before returning data
- ☐User A cannot access User B's resources by changing an ID (IDOR)
- ☐Admin routes are protected by role checks, not just auth checks
- ☐File uploads are validated for type and size
- ☐Uploaded files are not served from the same domain as the app
- ☐Database queries use parameterized statements (no string concatenation)
Secrets & Configuration
- ☐No API keys, passwords, or secrets in source code
- ☐.env file is in .gitignore and not committed to git
- ☐NEXT_PUBLIC_ prefix only used for truly public values
- ☐Production uses different credentials than development
- ☐Secrets are rotated if they've ever been exposed
- ☐Environment variables are set in deployment platform, not hardcoded
HTTP Security Headers
- ☐Content-Security-Policy header present
- ☐Strict-Transport-Security (HSTS) enabled
- ☐X-Frame-Options: SAMEORIGIN or DENY
- ☐X-Content-Type-Options: nosniff
- ☐Referrer-Policy configured
- ☐Permissions-Policy restricts unused browser features
Input Validation & Output Encoding
- ☐All user input is validated server-side (not just client-side)
- ☐HTML output is escaped to prevent XSS
- ☐dangerouslySetInnerHTML is not used with user-controlled content
- ☐File paths constructed from user input are sanitized
- ☐Redirect URLs are validated against an allowlist
- ☐JSON responses set Content-Type: application/json
API Security
- ☐Rate limiting on all public API endpoints
- ☐API keys are validated server-side before processing requests
- ☐CORS is configured to allow only trusted origins
- ☐Webhook signatures are verified (Razorpay, GitHub, etc.)
- ☐API responses don't leak internal error messages in production
- ☐Pagination limits prevent bulk data extraction
Infrastructure & Deployment
- ☐Debug mode is disabled in production
- ☐console.log statements don't output sensitive data
- ☐Error pages don't reveal stack traces or internal paths
- ☐Dependencies are up to date with no critical CVEs
- ☐HTTPS is enforced (no HTTP fallback)
- ☐Source maps are not publicly accessible in production
Run this audit automatically
This checklist covers 50+ items. Vezraa runs all of them automatically against your deployed app URL in 30 seconds — no code access required. The scan gives you your score and critical findings. The full report gives you evidence for every finding and paste-ready fix prompts.
Run the full security audit automatically in 30 seconds.
Start Scanning →