Does this replace a professional penetration test?

No. It is a structured self-review checklist that helps you catch common, high-impact issues before a formal test. A pentest by a qualified third party still adds adversarial depth, especially for high-risk systems handling money or health data.

What is the OWASP Top 10?

The OWASP Top 10 is a regularly updated list of the most critical web application security risks — including broken access control, injection, cryptographic failures, and vulnerable components. The checklist maps its categories to concrete things to verify in your app.

How do I check for SQL injection?

Confirm every database query uses parameterized statements or an ORM rather than string concatenation, then test inputs with characters like a single quote to ensure they are treated as data, not code. Any query built by concatenating user input is a finding.

What is the difference between XSS and CSRF?

XSS injects malicious script into pages other users view, usually from unescaped input. CSRF tricks an authenticated user's browser into making an unwanted request. The fixes differ: output encoding and a content security policy for XSS, anti-CSRF tokens and SameSite cookies for CSRF.

How often should I run this audit?

Run it before any major release and at least quarterly, plus whenever you add authentication, payment, or data-export features. Also re-check dependencies continuously, since new CVEs in libraries appear constantly.

Security Audit Checklist Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

A security checklist mapped to the risks that actually get exploited

Most breaches trace back to a short list of recurring mistakes: broken access control, injection, weak transport, leaked secrets, and outdated dependencies. This builder turns the OWASP Top 10 and adjacent best practice into a concrete, checkable list tailored to whether you are auditing a web app, an API, or both.

How it works

You choose the application type and toggle the focus areas relevant to your system. The tool assembles a Markdown checklist of verifiable items grouped by category — authentication and session management, access control, input validation and injection, XSS and output encoding, CSRF, transport security and TLS, secrets management, security headers, logging, and dependency/CVE hygiene. Each item is phrased as something you can confirm or mark as a finding, so the output doubles as your audit worksheet.

Tips and example

Treat every database query as a potential injection point: confirm it is parameterized, e.g. WHERE id = $1, never built with string concatenation.
Verify access control on the server for every endpoint — never rely on the UI hiding a button to enforce authorization.
Run a dependency scanner (e.g. npm audit, Snyk) in CI and fail the build on critical CVEs.
Confirm secrets live in environment variables or a vault, never in source control or client-side bundles.