The Developer Security Checklist: 50 Things to Verify

SSL/TLS (1-6)

1. TLS certificate is valid and not expired. Check expiration date. Set up automated renewal with Let's Encrypt or your CA.
2. TLS 1.2 or higher. TLS 1.0 and 1.1 are deprecated. Disable them in your server config. Use the Mozilla SSL Configuration Generator.
3. HSTS header is set. Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
4. HTTP redirects to HTTPS. All HTTP requests should 301 redirect to HTTPS. Not 302.
5. No mixed content. Every resource (scripts, stylesheets, images, fonts) loaded over HTTPS.
6. Certificate chain is complete. Intermediate certificates are included. Test with openssl s_client -connect yoursite.com:443.

Security Headers (7-14)

7. Content-Security-Policy is set. At minimum: default-src 'self'. Add exceptions as needed. See MDN CSP guide.
8. X-Frame-Options is DENY or SAMEORIGIN. Prevents clickjacking.
9. X-Content-Type-Options is nosniff. Prevents MIME sniffing attacks.
10. Referrer-Policy is set. strict-origin-when-cross-origin is a good default.
11. Permissions-Policy disables unused features. camera=(), microphone=(), geolocation=()
12. Server header doesn't leak version info. Remove or obscure the Server and X-Powered-By headers.
13. Cross-Origin-Opener-Policy is same-origin. Isolates browsing context.
14. Cache-Control is set for sensitive pages. no-store for authenticated pages to prevent browser caching of sensitive data.

Authentication (15-22)

15. Passwords are hashed with bcrypt, scrypt, or Argon2. Never MD5, SHA-1, or SHA-256 without salt.
16. Password minimum length is 8+ characters. Check against the HaveIBeenPwned breached password list.
17. Login endpoint is rate-limited. Maximum 10 attempts per IP per minute. Return 429 after limit.
18. CSRF tokens on all state-changing forms. Login, registration, password change, account settings.
19. Session tokens are regenerated after login. Prevents session fixation attacks.
20. Cookies have Secure, HttpOnly, and SameSite flags. Set-Cookie: session=...; Secure; HttpOnly; SameSite=Lax
21. MFA is available for admin accounts. TOTP (authenticator app) at minimum.
22. Password reset tokens expire. 1 hour maximum. Single-use. Invalidated after password change.

Input Validation (23-28)

23. All user input is validated server-side. Client-side validation is for UX only. An attacker bypasses JavaScript in seconds.
24. Input length limits are enforced. Names: 100 chars. Emails: 254 chars. URLs: 2048 chars. Prevent memory and storage abuse.
25. File uploads are validated. Check MIME type, file extension, and file size. Store outside the webroot. Generate random filenames.
26. HTML output is encoded. Use your framework's built-in escaping (React JSX, Django templates, Jinja2 autoescaping). Never use innerHTML with user data.
27. URLs in redirects are validated. Open redirect vulnerabilities let attackers redirect users to phishing sites using your domain.
28. JSON and XML parsers reject external entities. Disable XXE processing. Most modern parsers do this by default.

Database (29-34)

29. All queries use parameterized statements. No string concatenation in SQL. Ever. Use your ORM or prepared statements. See bobby-tables.com.
30. Database user has minimum privileges. The application's database account should not have DROP, CREATE, or GRANT permissions.
31. Database is not exposed to the internet. Bind to localhost or a private network. No public port 3306/5432/27017.
32. Default database credentials are changed. No root with no password. No postgres/postgres.
33. Sensitive data is encrypted at rest. Use database-level encryption (TDE) or application-level encryption for PII fields.
34. Database backups are encrypted and tested. An unencrypted backup is a data breach waiting to happen. Test restore procedures monthly.

API Security (35-40)

35. CORS is configured with specific origins. Never Access-Control-Allow-Origin: * with credentials. Specify allowed domains.
36. API authentication on every endpoint. No endpoints that assume "nobody will find this URL."
37. Rate limiting on all public endpoints. Prevent abuse, scraping, and brute force attacks.
38. Response bodies don't leak internal data. No stack traces, database column names, or file paths in error responses.
39. API versioning is in place. Breaking changes don't affect existing clients without notice.
40. Request size limits are enforced. Prevent request body abuse. Typically 1-10 MB depending on use case.

Deployment (41-46)

41. Debug mode is off in production. No DEBUG=True (Django), no app.debug = True (Flask), no verbose error pages.
42. Sensitive files are not accessible. .env, .git/, docker-compose.yml, package.json should return 404.
43. Admin panels are protected. Not accessible on the public URL. Use IP allowlisting, VPN, or a separate domain.
44. Dependencies are updated and audited. Run npm audit, pip audit, or your package manager's security check.
45. Secrets are in environment variables. Not in source code, not in config files committed to git. Use a secret manager.
46. Docker images use non-root users. USER node or USER appuser in your Dockerfile. Never run as root.

Monitoring (47-50)

47. Security events are logged. Login attempts, access denied, input validation failures, errors. Include timestamp, user, IP, action.
48. Logs are stored securely. Centralized logging (ELK, CloudWatch, Datadog). An attacker who compromises the app should not be able to delete logs.
49. Alerts are configured for anomalies. Spike in 403/401 errors, login failures from single IP, unusual data export patterns.
50. Regular security scans. Automated vulnerability scanning after every deployment. ismycodesafe.com covers 110 checks across SSL, headers, ports, OWASP paths, CVEs, SEO, and AI content detection. Free.