A website security audit does not require expensive tools, weeks of engagement, or a CISSP certification. The most impactful security issues -- missing headers, expired certificates, exposed admin panels, outdated software -- are detectable in 30 minutes using free tools and standard HTTP requests. This guide provides a structured checklist that covers the external attack surface of any website, organized into six phases that move from quick wins to deeper analysis.
This is not a penetration test. Every technique here uses passive observation or standard web requests. No vulnerability exploitation, no authenticated testing, no code review. Think of it as a health check from the outside -- the same view an attacker gets when they first encounter your site.
Phase 1: TLS Certificate Inspection (3 minutes)
TLS configuration is the foundation. A misconfigured certificate does not just create browser warnings -- it signals to attackers that the site's security posture is weak across the board.
# Inspect TLS certificate details
curl -vI https://example.com 2>&1 | grep -E "subject:|issuer:|expire|SSL"
# Full certificate chain analysis
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates -ext subjectAltNameCheck for: certificate expiration date (within 30 days is urgent), issuer (Let's Encrypt vs commercial CA -- not a security issue, but tells you about the organization), Subject Alternative Names (reveals other domains on the same cert), and protocol versions supported (TLS 1.0/1.1 should be disabled per NIST SP 800-52 Rev 2).
Phase 2: HTTP Security Headers (5 minutes)
Security headers are the single most impactful quick fix for web security. Most sites score an F. Each missing header represents a specific class of attack that is trivially preventable.
# Fetch all response headers
curl -sI https://example.com| Header | Protects Against | Expected Value |
|---|---|---|
Strict-Transport-Security | SSL stripping, downgrade attacks | max-age=31536000; includeSubDomains |
Content-Security-Policy | XSS, code injection | Specific per application |
X-Content-Type-Options | MIME sniffing | nosniff |
X-Frame-Options | Clickjacking | DENY or SAMEORIGIN |
Referrer-Policy | Information leakage | strict-origin-when-cross-origin |
Permissions-Policy | Feature abuse (camera, mic, geo) | Restrict unused features |
Also check for headers that should NOT be present: Server (reveals web server software and version), X-Powered-By (reveals application framework), and X-AspNet-Version (reveals .NET version). These headers aid attackers without providing any user benefit.
Phase 3: DNS and Email Security (5 minutes)
DNS records reveal infrastructure decisions. Email authentication records (SPF, DKIM, DMARC) protect against domain spoofing -- a primary phishing vector.
# Check SPF record
dig TXT example.com +short | grep "v=spf1"
# Check DMARC policy
dig TXT _dmarc.example.com +short
# Check DKIM (common selectors)
dig TXT google._domainkey.example.com +short
dig TXT selector1._domainkey.example.com +shortA domain with no SPF record, no DMARC record, or a DMARC policy set to p=none is vulnerable to email spoofing. Anyone can send emails appearing to come from that domain. The Verizon 2025 DBIR identifies phishing as a component of the human element involved in 60% of breaches -- proper email authentication is a critical defense.
Phase 4: Subdomain and Attack Surface Discovery (7 minutes)
The main website is rarely the most vulnerable asset. Forgotten staging servers, exposed admin panels, and legacy applications on subdomains are where breaches happen.
# Quick subdomain enumeration via Certificate Transparency
curl -s "https://crt.sh/?q=%.example.com&output=json" \
| jq -r '.[].name_value' | sort -u | head -30For each discovered subdomain, check: Does it resolve? Does it return an HTTP response? What is running on it? Is it a login page? Does it have the same security headers as the main site? Subdomains on shared hosting or cloud instances that are no longer in use create subdomain takeover risk.
Phase 5: Technology Fingerprinting (5 minutes)
Identifying the technology stack maps directly to known vulnerabilities. An outdated WordPress version, an unpatched Apache server, or an exposed phpMyAdmin instance are all discoverable without active scanning.
# Check server software and framework
curl -sI https://example.com | grep -iE "^(server|x-powered|x-generator|x-drupal)"
# Check for common exposed paths
curl -sI https://example.com/wp-login.php | head -1
curl -sI https://example.com/robots.txt | head -1
curl -sI https://example.com/.env | head -1The robots.txt file frequently reveals directory structures that the site operator wanted to hide from search engines (but not from attackers). The .env check is critical -- exposed environment files containing API keys and database credentials remain one of the most common misconfigurations, per OWASP Top 10 2021 (A05: Security Misconfiguration).
Phase 6: Threat Intelligence Check (5 minutes)
Verify whether the site's IP address or domain appears in any threat intelligence feeds. A site hosting malware, participating in phishing campaigns, or running a compromised server will often appear in public blacklists before the operator discovers the compromise.
# Check IP reputation via Shodan InternetDB
curl -s "https://internetdb.shodan.io/$(dig +short example.com | head -1)"
# Check domain reputation via AlienVault OTX
curl -s "https://otx.alienvault.com/api/v1/indicators/domain/example.com/general" \
| jq '{pulses: .pulse_info.count, reputation: .reputation}'Scoring Your Audit
| Check | Pass | Fail | Weight |
|---|---|---|---|
| Valid TLS, TLS 1.2+ only | Current cert, no legacy protocols | Expired, TLS 1.0/1.1 enabled | Critical |
| HSTS enabled | max-age >= 1 year | Missing or short max-age | High |
| CSP configured | Specific policy, no unsafe-inline | Missing or overly permissive | High |
| X-Content-Type-Options | nosniff | Missing | Medium |
| SPF + DMARC configured | SPF restrictive, DMARC p=quarantine/reject | Missing or p=none | High |
| No version disclosure | Server/X-Powered-By stripped | Software versions visible | Medium |
| No exposed admin panels | Admin behind VPN/IP whitelist | Public /admin, /wp-admin, etc. | Critical |
| No exposed .env or config files | 404 on sensitive paths | 200 on .env, .git, etc. | Critical |
| Clean threat intel reputation | No appearances in threat feeds | Flagged in multiple feeds | High |
MAGO runs all six phases of this audit automatically. Enter a domain and receive a structured security assessment covering TLS, headers, DNS, subdomains, technology stack, and threat intelligence -- graded and prioritized. What takes 30 minutes manually takes seconds with automation. Run a free security audit.
What to Do with Your Findings
Prioritize by exploitability and impact:
- Immediate (fix today): Exposed .env files, expired certificates, publicly accessible admin panels, exposed databases
- Urgent (fix this week): Missing HSTS, no CSP, DMARC set to none, outdated software with known critical CVEs
- Important (fix this month): Version disclosure headers, missing minor security headers, SPF without hard fail
- Maintenance (ongoing): Regular subdomain audits, continuous certificate monitoring, threat feed checking
For organizations that need to audit multiple websites or maintain continuous visibility, an attack surface management program automates this checklist across the entire domain portfolio. The IBM Cost of a Data Breach 2025 report found that organizations with mature security posture management reduced breach costs by $1.9M on average.
OWASP Top 10 2021 -- A05 Security Misconfiguration, A02 Cryptographic Failures. NIST SP 800-52 Rev 2 -- Guidelines for TLS Implementations. Verizon 2025 DBIR -- phishing in 60% of human-element breaches. IBM Cost of a Data Breach 2025 -- $4.44M average, security AI saves $1.9M. Mozilla Observatory -- HTTP header grading methodology.