If you’re taking your website or web app security seriously having strong and reliable processes and workflows is essential. Here’s an extensive and concise website security checklist that covers most critical aspects from identity and access management to CDNs and firewalls. I hope you find it helpful and it helps you create effective and well-structured security processes and procedures.
Software and dependencies:
- Keep all your IT systems patched and up to date (servers, CMS, frameworks, libraries, modules/plugins, 3rd party tools, services, etc.).
- If you have any extensions, modules and/or plugins, make sure that:
- all updates and patches are installed;
- the extensions/modules/plugins are actively used by the community;
- they’re coming from a trusted source;
- they’re actively maintained by creators/maintainers;
Connections and authentication:
- Use encrypted connections for everything:
- Install an SSL certificate;
- Switch the website to HTTPs;
- Use encrypted connections for file transport and for server/database access;
- Do not forget to automatically redirect all HTTP traffic to HTTPS;
- Make sure all the passwords (file transfer, CMS, Database, etc) are unique and strong.
- Update passwords regularly (consider using a password manager and a strong password generator).
- Enable MFA or key-based authentication where possible.
Access management and permissions:
- Introduce strong IAM procedures.
- Audit your settings and permissions:
- User settings/permissions;
- Comment settings/permissions;
- General visibility of information (e.g PHP or CMS error reporting that can reveal configuration details);
- Follow the least privilege rule and be careful about your permissions.
- Audit file and directory permissions (read, write, execute for owner, group, or public).
- Prevent directory browsing.
- Protect sensitive files.
User data and web interfaces:
- Ensure secure online checkouts. Use AVS and CVV and follow the standards such as PCI DSS.
- Validate and sanitize user-entered data (Reduce XSS and SQL injection vulnerabilities).
- Make sure you perform validation not only on the client-side but on the server-side too.
- Enable HTTP Strict Transport Security (HSTS) to Disallow Unencrypted Traffic.
- Enable Content Security Policy (CSP) to protect against XSS.
- Prevent image hotlinking.
Backend/servers/database:
- Set up extended logging and store the logs in a secure place separate from the main application
- Set up automatic regular backups. Make sure you have:
- offsite backup storage;
- another copy of the backup in a separate location (you’re going to need this copy in case your main backup becomes corrupted or unavailable);
- Test restoring the website/database from the backup to make sure the backups are usable and make sure you can do it with minimal downtime.
- Audit for misconfigurations in your applications, review web server configuration files.
- Move sensitive configuration files (and other files containing passwords) to a secure directory outside of the public web folder to make them inaccessible to the general web access, add them to .gitignore.
- For PHP based applications: edit your php.ini file to more secure settings (e.g. set ‘register_globals’ and ‘display_error’ to Off).
Intrusion detection and intrusion prevention:
- Use a Web Application Firewall (WAF).
- Monitor traffic surges and set up and alerts system.
- Use a DDoS mitigation service.
- Use CDN + load balancing for additional hight traffic resilience and DDoS protection.
- Invest in a malware detector/scanner + security extensions for your CMS.
Processes and workflows:
- Have as many automated processes as possible: updates, logging, firewalls, monitors, scanners, etc.
- Every few months:
- Perform a manual audit and clean up (install missing updates, remove unused plugins/modules/extensions, remove/block unused user accounts, update permissions, settings, change passwords, etc).
- Review and test all automated systems that are in place (review configurations, make sure backups and logs are being created, etc. ).
- Check known vulnerability reports and stay up to date with standards and documentation. A good place to start would be keeping an eye on OWASP checklists, testing guides and OWASP top 10 security risks listed here https://owasp.org/www-project-top-ten/
I hope you find this website security checklist helpful. Feel free to reach out if there are any questions, comments or great resources you’d like to share!
Useful links:
Other articles about cybersecurity
OWASP testing guide