Website protection
There are several factors that go into securing a web application. Most are second nature to seasoned system administrators, but it is still too common to talk to someone who does not know how to properly secure a web application. Here is the common checklist I go through when I determine if a website is secured.
- Is it using a firewall?
- Am I using unique passwords that are over 20 characters?
- Are passwords required to alter data?
- Is my codebase up to date?
- Are the only public facing ports HTTP and HTTPS?
- Do I protect data in transit from the user to my site by enforcing HTTPS?
- Do I protect data from my website to the database with SSL?
- Is my database only accessible to my application?
- Do I have my database and application on different servers?
- Can a malicious user drop/delete/alter data from my database from a form/switch/button that is publicly accessible on my website or do they need to login to perform that operation?
- Do I have separate connections and users to the database for writing and reading data?
- Do I rate limit connections via web application firewall or utility like fail2ban?
- Am I reading and blocking malicious inputs via web application firewall or mod_security?
- Can anyone brute force a login or am I blocking it after 5 tries?