1. No HTTPS everywhere
"My site doesn't have a form, I don't need HTTPS." Wrong. Without HTTPS, an attacker can modify the content displayed to your visitors (ad injection, redirect to malicious sites). Google also penalises non-HTTPS sites in search results.
Fix: A Let's Encrypt certificate is free. There's no excuse left.
2. Missing security headers
Most sites send no security headers at all. No Content-Security-Policy, no X-Frame-Options, no Strict-Transport-Security.
These headers take 5 minutes to configure and block entire categories of attacks.
Fix: At minimum, add X-Content-Type-Options: nosniff, X-Frame-Options: DENY and Strict-Transport-Security.
3. Dependencies never updated
Is your site running a version of WordPress, React or Express from 2 years ago? Every day that passes, new vulnerabilities are discovered in outdated versions.
Fix: Set up a monthly update process. Tools like Dependabot or Renovate automate the process.
4. Forms without server-side validation
Validating client-side (JavaScript) is fine for UX. But it protects nothing: an attacker bypasses client validation in seconds.
Fix: All incoming data must be validated server-side. Tools like Zod (TypeScript) make it simple and declarative.
5. Overly detailed error messages
"SQL Error: table users, column password" — that error message is a gift for an attacker. It reveals your database structure.
Fix: In production, show generic messages ("An error occurred"). Log details server-side, not client-side.
Check your site
A quick audit with WarDek automatically detects these 5 mistakes (and many more). The scan takes less than 5 minutes.