Website protection

There are several factors that go into securing a web application. Most are second nature to seasoned system administrators, but it is still too common to talk to someone who does not know how to properly secure a web application. Here is the common checklist I go through when I determine if a website is secured.

• Is it using a firewall?
• Am I using unique passwords that are over 20 characters?
• Are passwords required to alter data?
• Is my codebase up to date?
• Are the only public facing ports HTTP and HTTPS?
• Do I protect data in transit from the user to my site by enforcing HTTPS?
• Do I protect data from my website to the database with SSL?
• Is my database only accessible to my application?
• Do I have my database and application on different servers?
• Can a malicious user drop/delete/alter data from my database from a form/switch/button that is publicly accessible on my website or do they need to login to perform that operation?
• Do I have separate connections and users to the database for writing and reading data?
• Do I rate limit connections via web application firewall or utility like fail2ban?
• Am I reading and blocking malicious inputs via web application firewall or mod_security?
• Can anyone brute force a login or am I blocking it after 5 tries?