Security Audit Checklist for Web Applications

A security audit is a systematic review of your application's security posture. At Vaarak, we conduct security audits for every client project before production launch and quarterly thereafter. This checklist covers the 50+ items we review across seven categories. Use it as a starting point for your own security program.

Digital security and protection — A security audit is not a one-time event — it's a regular practice that evolves with your application

Authentication and Session Management

Passwords hashed with bcrypt/scrypt/Argon2 (never MD5/SHA1)
Multi-factor authentication available and enforced for admin accounts
Session tokens are random, sufficiently long (128+ bits), and stored in HttpOnly, Secure, SameSite cookies
Session timeout after inactivity (15-30 min for sensitive apps)
Account lockout after N failed login attempts with rate limiting
Password reset tokens are single-use, time-limited (1 hour), and invalidated after use

Authorization and Access Control

Every API endpoint has explicit authorization checks (not just authentication)
RBAC or ABAC implemented server-side — never trust client-side role checks
Direct object references are validated (user can only access their own resources)
Admin endpoints are on a separate path/domain with additional authentication
API keys have scoped permissions (read-only, write, admin) and expiration dates

Data Protection

All data encrypted in transit (TLS 1.2+ mandatory, TLS 1.3 preferred)
Sensitive data encrypted at rest (database, file storage, backups)
PII (personally identifiable information) identified and classified
Data retention policies defined and enforced (auto-delete after retention period)
Database backups encrypted and stored in a separate region
No secrets in source code, logs, or error messages

HTTP Security Headers

middleware/security-headers.ts

// Essential security headers for every response
const securityHeaders = {
  'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
  'X-Content-Type-Options': 'nosniff',
  'X-Frame-Options': 'DENY',
  'X-XSS-Protection': '0',  // Disabled — CSP is the modern replacement
  'Referrer-Policy': 'strict-origin-when-cross-origin',
  'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
  'Content-Security-Policy': [
    "default-src 'self'",
    "script-src 'self'",
    "style-src 'self' 'unsafe-inline'",
    "img-src 'self' data: https:",
    "font-src 'self'",
    "connect-src 'self' https://api.example.com",
    "frame-ancestors 'none'",
  ].join('; '),
};

Infrastructure Security

Network segmentation: database and internal services not accessible from the internet
WAF (Web Application Firewall) deployed in front of public endpoints
Container images scanned for vulnerabilities in CI/CD pipeline
Dependency vulnerabilities monitored and patched within SLA (critical: 24h, high: 7 days)
Access to production systems requires VPN + MFA with audit logging

This checklist is a starting point, not a comprehensive security program. Supplement it with regular penetration testing (annually at minimum), automated security scanning in CI/CD, and threat modeling for new features. Security is a continuous practice, not a one-time audit.

Security is not just a technical concern — it's a business requirement. A security breach costs an average of $4.45M (IBM 2025), not counting reputational damage. The investment in a thorough security program is a fraction of that cost and pays for itself by preventing the first incident.