NullShield

Get started
← Back to Blog
·8 min read

The Complete Website Security Checklist for UK SMEs (2026)

A practical, step-by-step website security checklist covering headers, TLS, DMARC, cookies, and exposed paths. Built for UK small businesses.

Cybercrime costs UK businesses over £27 billion each year, and small and medium-sized enterprises bear a disproportionate share. Yet most SMEs assume they are too small to be targeted. The reality is that automated bots scan millions of websites daily, looking for low-hanging fruit: missing headers, outdated TLS, exposed admin paths, and insecure cookies.

This checklist gives you a concrete, non-technical starting point. Work through each section, tick off what you have, and fix what you do not. Or run a free NullShield scan and let our AI audit everything in under two minutes.

1. HTTP Security Headers

Security headers are instructions your server sends to every browser that visits your site. They control what the browser is allowed to do, and missing headers are one of the most common vulnerabilities we find in NullShield scans.

  • Content-Security-Policy (CSP) — Limits which scripts, styles, and resources can load on your page. Without it, attackers can inject malicious scripts (cross-site scripting, or XSS).
  • Strict-Transport-Security (HSTS) — Forces browsers to only connect over HTTPS. Set max-age=31536000; includeSubDomains at minimum.
  • X-Content-Type-Options — Set to nosniff to prevent MIME-type confusion attacks.
  • X-Frame-Options — Set to DENY or SAMEORIGIN to prevent your site being embedded in malicious iframes (clickjacking).
  • Referrer-Policy — Controls how much URL information is shared when users navigate away. Use strict-origin-when-cross-origin.
  • Permissions-Policy — Restricts access to browser features like camera, microphone, and geolocation.

2. TLS / SSL Configuration

HTTPS is no longer optional. Google penalises non-HTTPS sites in search rankings, and browsers show "Not Secure" warnings. But simply having a certificate is not enough.

  • TLS 1.2 or 1.3 only — Disable TLS 1.0 and 1.1 (deprecated since 2020). TLS 1.3 is faster and more secure.
  • Strong cipher suites — Avoid RC4, 3DES, and export-grade ciphers. Prefer AES-GCM and ChaCha20.
  • Certificate validity — Ensure your certificate is not expired and covers all subdomains you use.
  • OCSP stapling — Improves connection speed and privacy by including certificate status in the TLS handshake.
  • HSTS preloading — Submit your domain to the HSTS preload list so browsers enforce HTTPS before the first visit.

3. Email Authentication (DMARC, SPF, DKIM)

Your domain can be spoofed to send phishing emails that look like they come from your business. This is not just a reputational risk — it is a compliance issue under GDPR and Cyber Essentials.

  • SPF record — Lists which mail servers are authorised to send email for your domain.
  • DKIM — Adds a cryptographic signature to outgoing emails to prove they have not been tampered with.
  • DMARC — Ties SPF and DKIM together and tells receiving servers what to do with emails that fail authentication. Start with p=none (monitor), then move to p=quarantine or p=reject.

4. Cookie Security

Cookies store session tokens, user preferences, and tracking data. Misconfigured cookies are a direct route to session hijacking.

  • Secure flag — Ensures cookies are only sent over HTTPS connections.
  • HttpOnly flag — Prevents JavaScript from reading the cookie, blocking XSS-based session theft.
  • SameSite attribute — Set to Strict or Lax to prevent cross-site request forgery (CSRF).
  • Session expiry — Set reasonable expiration times. Avoid persistent sessions that never expire.

5. Exposed Paths and Files

Automated scanners check for files and directories that should never be publicly accessible. These are among the easiest vulnerabilities to exploit — and the easiest to fix.

  • .env files — Contain database passwords, API keys, and secrets. Never serve these publicly.
  • .git directory — Exposes your entire source code history, including credentials committed by mistake.
  • wp-admin, /admin, /dashboard — Admin panels should be IP-restricted or protected with multi-factor authentication.
  • Backup files (.bak, .sql, .zip) — Old backups left on the server can contain complete database dumps.
  • phpinfo.php, server-status — Debug and status pages reveal server configuration to attackers.

6. Content and Application Security

  • Input validation — Validate and sanitise all user input on both client and server side. This prevents SQL injection and XSS.
  • Rate limiting — Protect login forms and API endpoints from brute-force attacks.
  • Error handling — Never expose stack traces or database errors to users. Use generic error pages in production.
  • Software updates — Keep your CMS, plugins, frameworks, and server software up to date. Known vulnerabilities in outdated software are the most exploited attack vector.

7. Regular Scanning and Monitoring

Security is not a one-time task. New vulnerabilities emerge daily, and configuration changes can inadvertently expose your site.

  • Run automated security scans at least monthly — weekly for business-critical sites.
  • Monitor your security headers and TLS configuration for regressions after deployments.
  • Set up alerts for certificate expiry, DNS changes, and new vulnerability disclosures affecting your tech stack.

Check your website against this entire list in 2 minutes

NullShield scans every item on this checklist automatically and gives you a plain-English report with fix instructions.

Scan My Website Free →

No credit card required

Related articles

Cyber Essentials Certification: What UK Businesses Need to Know

Understand the certification, who needs it, and how to prepare.

Is Your Website GDPR Compliant? 7 Things to Check

Cookies, consent, privacy policies, and data handling essentials.