Skip to content

Web App Security Audit Checklist (2026)

The complete pre-launch security checklist. Run through this before you share your app publicly — it covers the vulnerabilities that actually get exploited.

Authentication & Session Management

  • Passwords are hashed with bcrypt, Argon2, or scrypt (never MD5 or SHA1)
  • Session tokens are cryptographically random (not sequential IDs)
  • Sessions expire after inactivity (30–60 minutes for sensitive apps)
  • Logout invalidates the session server-side, not just client-side
  • Password reset tokens are single-use and expire within 1 hour
  • Rate limiting on login endpoints (prevent brute force)
  • Account lockout after N failed attempts
  • MFA available for sensitive accounts

Authorization & Access Control

  • Every API endpoint checks authentication before returning data
  • User A cannot access User B's resources by changing an ID (IDOR)
  • Admin routes are protected by role checks, not just auth checks
  • File uploads are validated for type and size
  • Uploaded files are not served from the same domain as the app
  • Database queries use parameterized statements (no string concatenation)

Secrets & Configuration

  • No API keys, passwords, or secrets in source code
  • .env file is in .gitignore and not committed to git
  • NEXT_PUBLIC_ prefix only used for truly public values
  • Production uses different credentials than development
  • Secrets are rotated if they've ever been exposed
  • Environment variables are set in deployment platform, not hardcoded

HTTP Security Headers

  • Content-Security-Policy header present
  • Strict-Transport-Security (HSTS) enabled
  • X-Frame-Options: SAMEORIGIN or DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy configured
  • Permissions-Policy restricts unused browser features

Input Validation & Output Encoding

  • All user input is validated server-side (not just client-side)
  • HTML output is escaped to prevent XSS
  • dangerouslySetInnerHTML is not used with user-controlled content
  • File paths constructed from user input are sanitized
  • Redirect URLs are validated against an allowlist
  • JSON responses set Content-Type: application/json

API Security

  • Rate limiting on all public API endpoints
  • API keys are validated server-side before processing requests
  • CORS is configured to allow only trusted origins
  • Webhook signatures are verified (Razorpay, GitHub, etc.)
  • API responses don't leak internal error messages in production
  • Pagination limits prevent bulk data extraction

Infrastructure & Deployment

  • Debug mode is disabled in production
  • console.log statements don't output sensitive data
  • Error pages don't reveal stack traces or internal paths
  • Dependencies are up to date with no critical CVEs
  • HTTPS is enforced (no HTTP fallback)
  • Source maps are not publicly accessible in production

Run this audit automatically

This checklist covers 50+ items. Vezraa runs all of them automatically against your deployed app URL in 30 seconds — no code access required. The scan gives you your score and critical findings. The full report gives you evidence for every finding and paste-ready fix prompts.

Run the full security audit automatically in 30 seconds.

Start Scanning →

Related articles

Web App Security Audit Checklist (2026) | Vezraa