Building a new website? A short security check-list for you

Just to remind ourselves of basic and common security recommendations for most of the cases.

1. Use HTTPS (and HTTP/2) whenever possible.

2. Disable obsolete TLS v1.0/1.1 and insecure algorithms.

This is one of my configs for JDK for example:

jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1, TLSv1.1, DES, DESede, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40, \
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, \
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, \
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, \
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
LS_DHE_RSA_WITH_AES_256_CBC_SHA, \
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA

You should be careful with this if you are still working with old/legacy clients that don’t support new TLS protocols.

3. Enable Strict-Transport-Security everywhere.

4. Remove everything that identifies your software, environment and their versions.

  • Check HTTP responses when errors happen (404, 403, 500 pages, REST API responses, etc). Disable all visible for end-users call stacks and error details about your software. Introduce custom HTTP pages.
  • Using console tools like cURL, netcat, etc, try to send malformed URLs and check all responses that don’t have hints of what software are you using.

5. Prevent loading your websites in frames/iframes.

Content-Security-Policy: frame-src 'none'

There are also other useful policies in CSP as well, yet this is something more common to disable so was worth to mention separately.

6. Don’t trust any user input.

So, escape all of the user inputs by default (or better use web-frameworks and the majority of them mostly do that by default). Use appropriate data types checks, lengths/size limitations.

This is a good start link for details.

7. Secure your cookies.

  • HttpOnly
  • Secure
  • SameSite=Strict (or at least Lax, this is default now in modern browsers, but it is better to be strict about it for all users).
  • Max-Age=<appropriate-duration-in-days-not-years>

8. Use CORS in a secure way.

9. Don’t use sensitive or personal information as URL parameter values.

So, avoid this if possible:
https://example.net?my-access-code=<access-code>
(sometimes it isn’t possible, for example for sharing links in emails without identification — in those cases, I recommend to use time-limited tokens, etc)

10. Don’t forget to protect WebSockets, SSE/EventSource endpoints.

11. Don’t rely on robots.txt.

— —

Surely if you deal with important data (like PCI DSS, or working on something in Healthcare, etc), this is not good enough indeed, just a good start.

Software Developer & Architect