Tell Me When Down
How it worksWhat we checkPricing
BlogFree toolsCompareDocs
Log inGet started
All posts
Shipping securely on a budget

The website launch security checklist nobody hands you

July 18, 2026·6 min read
A hand holding a clipboard and document in dim light — the pre-launch review nobody is handed.

Nobody hands you a security checklist when you launch. You get a deploy button. So most small sites go live with the certificate valid and absolutely nothing else checked — which is exactly the state attackers and bots count on.

You don't need an audit or a pentest to close the common gaps. Here's the list to run before you point real users at it — split into what you can test from outside in seconds, and what lives in the code.

The outside view: four checks, no code

Four things are visible from your public URL, and every one is a default a framework or app builder tends to leave unset. Test them on the live site before launch:

  1. SSL certificate — valid and not about to lapse. HTTPS working today isn't the whole story; a cert quietly expiring in three weeks takes the whole site down with a scary browser warning. Check the expiry with the SSL expiry check.
  2. Security headers — set, not missing. HSTS, clickjacking protection, MIME-sniffing protection, a referrer policy. Their absence is the single most common finding on a fresh site. Scan with the security headers check.
  3. No mixed content. One image or script loaded over http:// on an HTTPS page breaks the padlock and gives an attacker a way in. Find them with the mixed-content checker.
  4. Cookies flagged properly. Session cookies need Secure, HttpOnly, and a sane SameSite — otherwise they're readable by scripts or sent where they shouldn't be. Check them with the cookie security check.
free tool · no loginSecurity headers checkStart here — scan your live URL for the headers almost every new site is missing. Then run the SSL, mixed-content, and cookie checks alongside it. All free, no login.

The inside view: what a URL scan can't see

The rest lives in the code, and it's where the expensive mistakes hide:

  • Secrets out of the browser. No private keys committed to the repo or baked into the client bundle — server-side environment variables only.
  • Access control on the server. Every sensitive action re-checked server-side, not just hidden in the UI. On Supabase, that means RLS on every table.
  • Debug off in production. No verbose stack traces or debug endpoints leaking internals on an error page.
  • Validated input and updated dependencies. Parameterised queries, validated inputs, no known-vulnerable packages.
  • Rate limiting on login, signup, and anything expensive.

The quickest way to walk the code half is to make your AI tool review its own output against the list:

paste into Claude or ChatGPT
Do a pre-launch security review of my web app. Go through each item, tell me whether my project is affected, and give me the specific fix.

1. HTTPS: is HTTP redirected to HTTPS everywhere, and is HSTS set so browsers refuse to downgrade?
2. Secrets: are any API keys, tokens, or private keys committed to the repo or shipped in the client-side bundle? Which must move to server-side environment variables?
3. Access control: is every sensitive read and every mutation authorised on the server, not just hidden in the UI? If I use Supabase, is RLS enabled on every table with policies that restrict rows to the right user?
4. Input handling: are inputs validated and queries parameterised (no string-built SQL, no unescaped user input)?
5. Error handling: are debug mode and verbose stack traces off in production, so error pages don't leak internals?
6. Dependencies: any known-vulnerable packages I should update before launch?
7. Rate limiting: are login, signup, and expensive endpoints protected against abuse?

For each finding, give me the risk in one sentence and the exact change.
Built the site with an AI tool? The inside-view items are worth extra scrutiny — generators optimise for "works," not "locked down." We go deep on that in vibe coding security risks.

The item that isn't a launch task

Every check above is a snapshot — true the day you run it. But a valid certificate expires, a green site goes down, an endpoint starts erroring after a deploy. The last item on the list isn't something you tick once; it's ongoing.

Point a monitor at the site so the day something changes — the cert lapses, the URL stops answering — you hear about it before your users do. That's the difference between a checklist and staying secure after launch.

Launch checked — and keep it that way.

The tools above catch what's wrong today. Tell Me When Down watches the site after launch, free — SSL that lapses, a page that goes down, an endpoint that starts failing. You hear about it the moment it happens.

Watch my sitefree · no card required
more on shipping securely on a budget
Website down from an expired SSL certificateAn expired certificate is a full outage — every visitor hits a red warning, though the server's fine. Here's why auto-renewal still fails silently, why shrinking cert lifetimes make it likelier, and how to see it coming.My website says "Not Secure" — what it means and how to fix itThe "Not secure" label looks like a hack but usually isn't — it means your site isn't using HTTPS properly. Here's what the browser is really saying, and the common causes in plain language, fixed one by one.What are security headers? A plain-English guideSecurity headers tell the browser how to behave safely — refuse HTTP, block framing, don't guess file types. Here's what each of the ones that matter actually does, and why almost every new site ships without them.How to add security headers in Next.js (including CSP)Next.js sends no security headers by default. The static ones are a config block; the hard part is a CSP that helps without blocking your own scripts. Here's the nonce approach, the report-only trick, and the version caveat.SSL certificate expiry monitoring: why the calendar reminder failsA calendar reminder assumes your renewal works. But auto-renewal is a background job that fails silently, and cert lifetimes are dropping to 47 days by 2029. Here's why manual SSL tracking breaks, and what to monitor instead.Secure, HttpOnly, SameSite: the cookie flags that matterThree small flags — Secure, HttpOnly, SameSite — decide whether your session cookie is a locked token or the easiest thing to steal on your site. Here's what each closes, and how to check which your cookies set.

spot something wrong or out of date? [email protected] — we'll fix it

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

product
How it worksWhat we checkPricingDocsBlogFAQ
free toolsWebsite security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
comparevs UptimeRobotvs Better Stackvs PingdomFor indie hackers
company
StatusAbout our botSupportPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.com