SaaSFort Most small businesses don’t get breached because of zero-day exploits. They get breached because of expired certificates, missing security headers, or DNS records that haven’t been reviewed in two years.
The good news: the 10 checks below take less than an hour to run manually — and under 60 seconds with an automated scanner. Each one maps to real-world attack vectors and regulatory requirements (NIS2, ISO 27001).
Here’s what to check, why it matters, and how to fix it.
1. HTTPS Everywhere — No Exceptions
What to check: Every page on your domain loads over HTTPS. HTTP requests redirect to HTTPS automatically (301 or 308).
Why it matters: Unencrypted HTTP exposes login credentials, customer data, and session tokens to anyone on the same network. Google also penalizes HTTP-only sites in search rankings.
How to fix it:
- Enable “Always Use HTTPS” in your CDN or hosting provider (Cloudflare, AWS CloudFront, Vercel)
- Verify with:
curl -I http://yourdomain.com— expect a 301/308 redirect tohttps://
Regulatory link: NIS2 Article 21.2h (cryptography and encryption), ISO 27001 Annex A.8.24
2. TLS Certificate Health
What to check: Your TLS certificate is valid, not expiring within 30 days, and uses TLS 1.2 or higher. TLS 1.0 and 1.1 should be disabled.
Why it matters: An expired certificate breaks your entire site for every visitor. TLS 1.0/1.1 have known vulnerabilities (BEAST, POODLE) that attackers actively exploit. Enterprise buyers will reject vendors running outdated TLS.
How to fix it:
- Set up certificate auto-renewal (Let’s Encrypt, Cloudflare)
- Disable TLS 1.0/1.1 in your server or CDN configuration
- Test at SSL Labs — aim for grade A or B
3. DNS Configuration
What to check: SPF, DKIM, and DMARC records are configured for your email domain. No duplicate or conflicting DNS records exist.
Why it matters: Without SPF/DKIM/DMARC, attackers can send emails that appear to come from your domain — targeting your customers, partners, or employees. This is the #1 vector for business email compromise (BEC), which cost companies $2.9 billion in 2023 (FBI IC3 report).
How to fix it:
- Add SPF:
v=spf1 include:_spf.google.com ~all(adjust for your email provider) - Configure DKIM through your email provider’s admin panel
- Add DMARC:
v=DMARC1; p=quarantine; rua=mailto:[email protected]
| Record | Purpose | Without It |
|---|---|---|
| SPF | Declares which servers can send email for your domain | Spoofing is trivial |
| DKIM | Cryptographically signs outgoing emails | Recipients can’t verify authenticity |
| DMARC | Tells receiving servers what to do with failed SPF/DKIM | No enforcement, no reporting |
4. HTTP Security Headers
What to check: Your web server returns these six headers on every response:
| Header | What It Prevents |
|---|---|
Strict-Transport-Security (HSTS) | Downgrade attacks from HTTPS to HTTP |
X-Content-Type-Options: nosniff | MIME-type sniffing attacks |
X-Frame-Options: DENY | Clickjacking via iframe embedding |
Content-Security-Policy | Cross-site scripting (XSS), data injection |
Referrer-Policy | Leaking sensitive URLs to third parties |
Permissions-Policy | Unauthorized access to camera, microphone, geolocation |
Why it matters: These headers are free to implement and block entire categories of attacks. BSI and NIS2 auditors specifically look for them. Missing headers signal a lack of security maturity to enterprise buyers.
How to fix it: Add headers in your web server config (nginx, Apache), CDN settings, or application middleware. Most can be added in under 10 minutes.
5. Open Ports and Attack Surface
What to check: Only ports 80 (HTTP) and 443 (HTTPS) are open to the internet. No database ports (3306, 5432, 27017), admin panels, or debug endpoints are exposed.
Why it matters: Every open port is an entry point. Exposed database ports are the most common cause of mass data breaches in SMBs. Shodan indexes these in real time — attackers don’t need to scan, they just search.
How to fix it:
- Run
nmap yourdomain.comto see what’s exposed - Close unnecessary ports in your firewall or security group
- Move admin interfaces behind VPN or IP allowlists
6. Cookie Security Flags
What to check: Session cookies use Secure, HttpOnly, and SameSite=Strict (or Lax) flags.
Why it matters: Without these flags, session cookies can be stolen via XSS attacks, sent over unencrypted connections, or exploited through cross-site request forgery (CSRF). A stolen session cookie gives an attacker full access to a user’s account.
How to fix it: Set cookie attributes in your application framework:
Secure— cookie only sent over HTTPSHttpOnly— not accessible via JavaScriptSameSite=Strict— not sent with cross-origin requests
7. Dependency Vulnerabilities
What to check: Your application dependencies (npm, pip, Maven, Go modules) have no known critical or high-severity CVEs.
Why it matters: 84% of codebases contain at least one known vulnerability in their open-source dependencies (Synopsys 2024 OSSRA report). Supply chain attacks are now the fastest-growing attack vector — a single compromised package can expose every customer.
How to fix it:
- Run
npm audit,pip audit, ortrivy fs .in your CI pipeline - Enable Dependabot or Renovate for automatic dependency updates
- Block merges with critical CVEs in your CI/CD pipeline
Regulatory link: NIS2 Article 21.2d (supply chain security), ISO 27001 Annex A.8.28
8. Access Control and MFA
What to check: All admin accounts use multi-factor authentication (MFA). No shared credentials exist. Former employees have been deprovisioned.
Why it matters: Compromised credentials cause 61% of data breaches (Verizon DBIR 2024). MFA blocks 99.9% of automated credential-stuffing attacks. NIS2 Article 21 explicitly requires MFA implementation.
How to fix it:
- Enforce MFA on all admin and infrastructure accounts (AWS, GitHub, Google Workspace, Stripe)
- Audit user lists quarterly — remove access within 24 hours of offboarding
- Use SSO where possible to centralize access control
9. Backup and Recovery Verification
What to check: Automated backups run daily. You’ve tested a restore within the last 90 days. Backups are stored in a separate location from production.
Why it matters: Ransomware attacks against SMBs increased 150% in 2024 (Sophos). If your backups are on the same infrastructure as production, ransomware encrypts both. Untested backups fail 37% of the time when you need them most.
How to fix it:
- Automate daily backups with your cloud provider (RDS snapshots, Cloud SQL backups)
- Store backups in a different region or provider
- Schedule a quarterly restore test — document the result
Regulatory link: NIS2 Article 21.2c (business continuity and backup management)
10. Incident Response Plan
What to check: A written incident response plan exists. It names who to call, what to do in the first 60 minutes, and how to notify affected parties. At least one person has read it in the last 6 months.
Why it matters: NIS2 requires “significant incidents” to be reported to the national CSIRT within 24 hours (initial notification) and 72 hours (full report). Without a plan, your first incident response will be chaos — and the regulatory clock starts immediately.
How to fix it:
- Write a 1-2 page plan covering: detection → containment → eradication → recovery → notification
- Assign roles: incident lead, communications, legal
- Run a tabletop exercise once per year
Score Yourself
Count how many of the 10 checks your business passes today:
| Score | Assessment | Next Step |
|---|---|---|
| 9-10 | Strong security posture | Maintain with continuous monitoring |
| 6-8 | Functional but gaps exist | Fix critical items within 30 days |
| 3-5 | Significant exposure | Prioritize items 1-4 immediately |
| 0-2 | High risk | Get help — you’re likely non-compliant with NIS2 |
Automate the Entire Checklist
Running these checks manually works — once. But certificates expire, headers get removed during deploys, and new dependencies introduce vulnerabilities every week.
SaaSFort scans your domain against all 10 categories above in under 60 seconds. You get a scored report with specific remediation steps — mapped to NIS2 Article 21 and ISO 27001 Annex A controls.
No account required. Results in 60 seconds.
Dalla lettura all'azione
Scansionate il vostro dominio gratuitamente. Primi risultati in meno di 10 secondi — senza registrazione.
Scansione gratuita