Website Security Audit in 60 Seconds: What to Check and Why

Most websites have security issues that take minutes to find and minutes to fix. You don't need a full penetration test or an expensive consultant to catch the low-hanging fruit. Here are the eight areas that cover the vast majority of common web security misconfigurations.

1. TLS/SSL configuration

Check that your site uses TLS 1.2 or 1.3, that TLS 1.0 and 1.1 are disabled, and that your certificate chain is valid and not expiring soon. A surprising number of sites still accept connections from deprecated protocols that have known vulnerabilities.

2. Security headers

The six headers that matter most: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options or frame-ancestors in CSP, Referrer-Policy, and Permissions-Policy. Each one closes a specific class of attack. Missing them doesn't mean you'll be hacked today, but it means you're relying entirely on your application code having zero vulnerabilities.

3. JavaScript libraries

Every JavaScript library on your page is an attack surface. Check if any are outdated versions with known CVEs. jQuery below 3.5.0, Angular.js in any version, and outdated lodash builds are the most common offenders. The fix is usually a version bump.

4. DNS security

SPF, DKIM, and DMARC protect your domain from being used to send phishing emails. Without all three, anyone can send emails that appear to come from your domain. This isn't hypothetical — domain spoofing is a standard technique in targeted phishing campaigns.

5. Cookie security

Every cookie your site sets should have Secure (HTTPS only), HttpOnly (no JavaScript access), and an appropriate SameSite attribute. Session cookies especially — a missing Secure flag means the session token can be intercepted on any unencrypted connection.

6. CORS policy

If your site returns Access-Control-Allow-Origin headers, check that they're not reflecting arbitrary origins or allowing null. A misconfigured CORS policy can let any website make authenticated requests to your API on behalf of your users.

7. Mixed content

Even if your site is HTTPS, loading any sub-resource over HTTP undermines the entire chain. Scripts loaded over HTTP can be tampered with in transit. Images loaded over HTTP leak information about what the user is viewing. Check for any http:// URLs in your page source.

8. Subresource integrity

If you load scripts or styles from a CDN, subresource integrity (SRI) hashes ensure the file hasn't been tampered with. Without SRI, a compromised CDN can serve malicious code to all your users. Add integrity attributes to any external script or stylesheet.

Run all 8 checks now

KrakenProbe runs all eight of these checks in a single scan and gives you a security grade with specific remediation steps for every issue found. It takes less than 60 seconds. Scan your site for free and see where you stand.