Website Security Audit Checklist for Technical SEO Audits

In this website security audit checklist, we will focus on identifying potential vulnerabilities that can impact a website’s security, user experience, and search engine rankings. Our aim here is to make absolutely sure your website is secure from malicious attacks, data breaches, and other security threats that could harm SEO performance.

What's Inside This Checklist?

HTTP URLs –
Ensure Encrypted Communication
and User Trust

  • Are there any pages still using HTTP instead of HTTPS?
  • Are HTTP pages being properly redirected to HTTPS (301 redirects)?
  • Are there any internal links pointing to HTTP versions of pages instead of HTTPS?
  • Are canonical tags referencing HTTP URLs instead of HTTPS?
    Are sitemaps containing HTTP URLs instead of HTTPS?
  • Are there any backlinks pointing to HTTP versions that could be updated to HTTPS?
  • Are there any mixed content warnings caused by HTTP resources on HTTPS pages?
  • Has HTTP Strict Transport Security (HSTS) been implemented to enforce HTTPS?

Mixed Content – Prevent Data Leaks and Browser Warnings

  • Are there any insecure (HTTP) resources (e.g., images, scripts, CSS files) being loaded on HTTPS pages?
  • Are there any third-party resources being loaded over HTTP?
  • Are all images, stylesheets, scripts, and other assets properly served over HTTPS?
  • Are any mixed content issues causing security warnings in browsers?
  • Are there hardcoded HTTP links in the site’s code that need updating?

Form URL Insecure – Protect User Data During Submission

  • Are any forms submitting data to an HTTP URL instead of HTTPS?
  • Are login forms, checkout forms, or any forms handling sensitive data using HTTPS?
  • Are there any third-party form action URLs that are insecure?
  • Are form submissions triggering security warnings in browsers?

Form on HTTP URL – Maintain User Trust and Data Security

  • Are there any forms present on HTTP pages?
  • If forms exist on HTTP pages, are they being properly redirected to HTTPS versions?
  • Are login, checkout, or sensitive data forms properly secured with HTTPS?
  • Are users being warned about submitting data over an insecure connection?

Missing HSTS Header – Enforce HTTPS and Block Man-in-the-Middle Attacks

  • Has HTTP Strict Transport Security (HSTS) been implemented on the website?
  • Does the server response include the Strict-Transport-Security header?
  • Is the HSTS max-age value set appropriately?
  • Is the includeSubDomains directive present to cover all subdomains?
  • Has the site been preloaded into the HSTS preload list (if applicable)?
  • Are there any HTTP pages accessible that should be redirected?

Unsafe Cross-Origin Links – Prevent Data Exposure and Phishing

  • Are there links that open in a new tab (target=”_blank”) missing rel=”noopener noreferrer”?
  • Are any external links potentially exposing security risks by allowing access to the window.opener object?
  • Are there third-party scripts or links that could pose security vulnerabilities?

Protocol-Relative Resource Links – Reduce Security Risks and Content Loading Issues

  • Are there any resource URLs using protocol-relative links (e.g., //example.com/script.js instead of https://example.com/script.js)?
  • Are protocol-relative URLs causing mixed content issues?
  • Have all protocol-relative links been converted to absolute HTTPS URLs?

Missing Content-Security-Policy Header – Block Code Injection and Cross-Site Scripting

  • Has a Content Security Policy (CSP) been implemented?
  • Is the CSP header properly configured to prevent XSS attacks?
  • Are all necessary domains whitelisted for scripts, styles, and media?
  • Is inline JavaScript and CSS properly controlled with CSP rules?
  • Are unsafe directives (e.g., unsafe-inline, unsafe-eval) being used unnecessarily?
  • Are external resources from third-party domains properly managed in the CSP?

Missing X-Content-Type-Options Header – Protect Against MIME Type Confusion Attacks

  • Is the X-Content-Type-Options: nosniff header implemented?
  • Are browsers allowed to infer MIME types instead of enforcing declared types?
  • Are there any resources (e.g., JavaScript or CSS files) being improperly loaded due to missing MIME type protection?

Missing X-Frame-Options Header – Prevent Clickjacking and UI Redress Attacks

  • Is the X-Frame-Options header implemented to prevent clickjacking?
  • Is the value set to DENY, SAMEORIGIN, or ALLOW-FROM appropriately?
  • Are there any pages that allow embedding via iframes that should be restricted?
  • Are there business cases where embedding is required, and if so, are they properly managed?

Missing Secure Referrer-Policy Header – Prevent Unintended Data Leaks

  • Has a Referrer-Policy header been set?
  • Is the policy set to a secure value (e.g., strict-origin-when-cross-origin or no-referrer)?
  • Are any sensitive pages unintentionally leaking referrer data?
  • Are there any unnecessary unsafe-url policies exposing full URLs to third parties?

Bad Content Type – Reduce Browser Security Risks and Prevent Exploits

  • Are all resources (HTML, CSS, JavaScript, images, etc.) served with correct MIME types?
  • Are any scripts or stylesheets being served with incorrect Content-Type headers?
  • Are any security risks present due to missing or incorrect MIME types?
  • Are text-based files being served with appropriate text/plain or text/html headers?

Related Technical SEO Audit Checklists

Tools & Website Access Checklist

Thank you for considering us for your technical SEO needs. We're excited to collaborate and achieve your goals.

LET'S TALK

Company

Services

Legal

Copyright 2025 Tech SEO Pros | All Rights Reserved

Tech SEO Pros
Logo