DEV Community

Roy Morken
Roy Morken

Posted on • Originally published at ismycodesafe.com

Pre-Launch Security Checklist for Web Apps: 20 Must-Check Items (2026)

#devops #security #beginners #webdev

Must-Have (Ship Blockers)

Don't launch without these. Each one represents a real, exploitable vulnerability if missing.

    - **HTTPS with a valid TLS certificate.** Use [Let's Encrypt](https://letsencrypt.org/) — it's free and auto-renews.
    - **HTTP redirects to HTTPS.** 301 redirect, not 302. Every page, not just the homepage.
    - **HSTS header is set.** Prevents SSL stripping attacks on first visit.
    - **Content-Security-Policy header.** Blocks XSS attacks. Start with `default-src 'self'`.
    - **No exposed secrets in code.** Grep for API keys, passwords, tokens. Use environment variables.
    - **Debug mode is off.** No stack traces, no verbose errors, no `/debug/` endpoints.
    - **Database queries are parameterized.** Zero string concatenation in SQL.
    - **CSRF protection on all forms.** Login, registration, payment, settings — every state-changing form.
    - **Passwords hashed with bcrypt/Argon2.** Never plaintext, MD5, or unsalted SHA.
    - **Sensitive files return 404.** `.env`, `.git/config`, `docker-compose.yml` — not accessible via URL.


  ## Should-Have (First Week)
Enter fullscreen mode Exit fullscreen mode

Handle these within the first week. They reduce your attack surface and improve trust.

    - **Rate limiting on login and API endpoints.** Prevents brute force and abuse.
    - **Cookie flags: Secure, HttpOnly, SameSite.** Prevents session theft via XSS and CSRF.
    - **X-Frame-Options and X-Content-Type-Options headers.** Two-line config, significant protection.
    - **CORS configured with specific origins.** No `Access-Control-Allow-Origin: *`.
    - **Privacy policy published.** Required by GDPR if you have EU visitors. Link from footer.
    - **Error pages don't leak information.** Custom 404 and 500 pages with no technical details.
    - **Admin panel is not publicly accessible.** IP restriction, VPN, or separate domain.


  ## Nice-to-Have (First Month)
Enter fullscreen mode Exit fullscreen mode

These improve your security posture further and prepare you for scale.

    - **Security event logging.** Log login attempts, access denials, and errors. Store logs separately from the application.
    - **Dependency audit in CI.** Run `npm audit` or `pip audit` on every build. Block deploys with critical vulnerabilities.
    - **Automated security scanning after deployments.** Run [ismycodesafe.com](/) after each release to catch regressions.




    For the full 50-item version with detailed explanations, see [The Developer Security Checklist](/learn/checklists).
Enter fullscreen mode Exit fullscreen mode

This article was originally published on ismycodesafe.com.

Want to check your website's security? Run a free scan

Top comments (0)