Website Security Audit: What to Expect and How to Prepare
Never had a security audit before? Learn what a website security audit involves, what to expect from the process, and how to prepare your business.
If you have never had a website security audit before, the process can seem intimidating. This guide explains what to expect from a professional passive website security assessment.
What a Passive Security Audit Covers
A passive security audit examines only publicly visible information—the same things an attacker would see when casing your website. It typically covers: HTTPS and TLS configuration, HTTP security headers (CSP, HSTS, etc.), DNS records including email authentication (SPF, DKIM, DMARC), publicly accessible files (robots.txt, security.txt, sitemaps), exposed configuration files and backup archives, server information leaked in headers, and third-party service integrations visible in page source.
What It Does NOT Include
A legitimate passive audit does not: attempt to log into your systems, scan for vulnerabilities by sending payloads, test for SQL injection or XSS, perform denial of service testing, or access any private or protected areas. At SAB Security, we also require written authorization before beginning any assessment.
How to Prepare
1. Know your domain(s) and any subdomains you want assessed 2. Have access to your DNS management panel (to review and update records) 3. Inform your IT team or web developer that an assessment is happening 4. Review your privacy policy to ensure it accurately describes your data practices 5. Do not make changes during the assessment so we capture an accurate snapshot
What You Will Receive
A professional report including: an executive summary in business language, findings organized by risk level (Critical, High, Medium, Low), clear explanations of what each finding means for customer trust and business risk, practical remediation steps, a website trust score (0-100), and a comparison against industry best practices.
After the Audit
Most findings can be fixed within a few hours by your web developer or hosting provider. We recommend scheduling a follow-up check after fixes are applied to verify improvements.