The AI and Web Design Security Checklist: 35 Critical Points (2026)

Every 2 seconds, a ransomware attack occurs somewhere in the world. In the Benelux region, the average cost of a single data breach is $6.24 million — and that's for companies that actually recovered. For a small or medium business, that figure often means bankruptcy.

At the same time, over 2,400 Belgian companies now fall under NIS2 and must demonstrate adequate security measures. GDPR enforcement has been in place for years, but scrutiny is intensifying: European regulators increasingly start with automated scans of your website before sending any emails.

If you run a website, integrate AI tools, or use API connections — and almost every professional website does today — your business is at risk if your security isn't in order. This checklist gives you 35 concrete points to audit your codebase, API access, and web platform. Including the commands and prompts you need to do it.

Why This Is More Urgent Than Ever for Belgian SMEs

The numbers speak for themselves:

NIS2 requires companies in 18 critical sectors to report incidents within 24 hours. Non-compliance: fines up to €10 million or 2% of global revenue. Board members can be held personally liable.

The barrier to action is low. Even half a day of work in the right places can make the difference.

Category 1: Security Headers — The First Line of Defence

More than 95% of websites fail a security header check. That's not an exaggeration: fewer than 10% have all four critical headers correctly configured. Yet implementing them takes less than an hour.

Check whether your website sends these headers:

How to check this quickly?

curl -I https://yourwebsite.com | grep -i "content-security|strict-transport|x-frame|permissions|referrer|x-content"

Or use the free tool securityheaders.com. An A grade or higher is the minimum to aim for.

In Next.js, configure these in next.config.ts via the headers() function. If you haven't set this up yet, this is your first priority.

Category 2: API Security and Access Control

APIs are the weakest link in most modern web applications. They're powerful, but every endpoint you expose is a potential entry point for attackers.

Check each of these points for all your API routes:

A quick audit of your environment variables:

# Search for hardcoded secrets in your codebase
grep -r "api_key|secret|password|token" --include="*.ts" --include="*.tsx" --include="*.js" src/ | grep -v ".env" | grep -v "node_modules"

# Check whether secrets were accidentally committed to git history
git log --all --full-history --oneline -- .env
git grep -i "secret|api_key|password" $(git rev-list --all)

If those last commands return anything, you have an immediate problem. Secrets that ever appeared in git must be rotated immediately — even if you've removed them from the current codebase.

Category 3: Codebase Audit — Finding Structural Vulnerabilities

This is where most teams go wrong: they ship features but leave structural security issues dormant. Use these prompts and commands to analyse your own codebase.

Dependency audit:

npm audit
npm audit --audit-level=high

# Outdated packages with known vulnerabilities
npx npm-check-updates --doctor

Hardcoded sensitive values:

# Find hardcoded API endpoints
grep -rn "fetch|axios|http" src/ --include="*.ts" --include="*.tsx" | grep "http://"

# Find console.log statements with potentially sensitive data
grep -rn "console.log|console.error" src/ --include="*.ts" --include="*.tsx" | grep -i "user|token|key|password|secret"

OWASP Top 10 checks for your codebase (2025 edition):

AI-assisted code audit prompt (to use in your AI tool of choice):

"Analyse the following API route for security issues: check for missing authentication checks, unsecured data return, missing input validation, and potential injection vulnerabilities. Provide specific suggestions for each issue found."

Paste in the code from your API routes afterwards. This gives you a first scan in minutes that would otherwise take hours of manual review.

Category 4: AI-Specific Security Risks

AI integrations introduce new attack vectors that most developers haven't encountered before.

More than 20% of files employees upload to AI tools contain sensitive company data. Establish a clear policy for what information staff may share with external AI services.

Category 5: NIS2 and GDPR Compliance

This isn't a legal checklist — it's a technical one. The legislation translates into concrete measures:

GDPR Article 32 requires you to implement appropriate technical measures. That's not a vague obligation: it means encryption, access control, and regular testing. "We've never done it that way" is not an excuse.

Scoring Overview: Where Do You Stand?

The Impact: What's Actually at Stake?

A data breach doesn't just affect you. It impacts your customers, your reputation and your legal liability.

For your business:

For your customers:

Under European regulations:

The irony? The technical foundation — security headers, API validation, npm audit — costs half a day of work. These aren't month-long projects. Most vulnerabilities that attackers exploit result from simple oversights that nobody ever checked.

Conclusion

Security is not a one-time project but an ongoing practice. Start today with the basics: run npm audit, check your security headers, and review your API routes. Those are three steps you can take this afternoon.

If you'd like someone to look at your website or web application's security — the technical setup, API access, GDPR compliance or NIS2 readiness — I'm happy to help. Get in touch for a no-obligation conversation.

FAQ

What is NIS2 and does it apply to my business?

NIS2 is a European directive that requires organisations in 18 critical sectors (energy, healthcare, transport, digital infrastructure, and so on) to implement robust security measures and report incidents within 24 hours. In Belgium, more than 2,400 entities fall under the law. The first step is checking whether your sector or company size is in scope — the Belgian supervisory authority CCN provides a self-assessment tool.

How do I check whether my API endpoints are secured?

Start with a manual review of each route: is authentication required? What does the route return if you send a request without a valid token? Then use tools like OWASP ZAP or Burp Suite Community Edition for a basic dynamic scan. Also check whether rate limiting is active on all endpoints, and whether CORS restrictions are correctly configured.

What is prompt injection and how do I protect against it?

Prompt injection is an attack where a user embeds malicious instructions in input sent to an AI model, causing the model to behave in unintended ways. Protection: always sanitise and constrain user input before forwarding it to an AI API, set clear system instructions, and never give the model access to sensitive system information you don't want exposed.

What are the fines for GDPR violations in 2026?

GDPR has two penalty tiers: up to €10 million or 2% of global annual revenue for technical violations, and up to €20 million or 4% for the most serious violations such as failing to respect user rights or processing data without a legal basis. European regulators are increasingly conducting proactive automated website audits in 2026.

Do I need a penetration test?

NIS2 requires in-scope organisations to regularly test their security. For SMEs outside NIS2 scope, it's not legally mandatory but strongly recommended. An annual pentest — even basic testing of the most critical systems — reveals real vulnerabilities that automated tools miss.

Which free tools can I use for a quick security scan?

Several free options are available: npm audit (dependencies), securityheaders.com (HTTP headers), Mozilla Observatory (combination of headers and configuration), OWASP ZAP Community Edition (dynamic API scan), and Semgrep CE (static code analysis). A combination of these four already gives you a solid baseline overview of your security posture.