Building a new website? A short security check-list for you

1. Use HTTPS (and HTTP/2) whenever possible.

2. Disable obsolete TLS v1.0/1.1 and insecure algorithms.

jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1, TLSv1.1, DES, DESede, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40, \

3. Enable Strict-Transport-Security everywhere.

4. Remove everything that identifies your software, environment and their versions.

  • Check HTTP response headers from your website. Remove/replace all of the X-Powered-By etc that provides hints about your software and versions of the software.
  • Check HTTP responses when errors happen (404, 403, 500 pages, REST API responses, etc). Disable all visible for end-users call stacks and error details about your software. Introduce custom HTTP pages.
  • Using console tools like cURL, netcat, etc, try to send malformed URLs and check all responses that don’t have hints of what software are you using.

5. Prevent loading your websites in frames/iframes.

Content-Security-Policy: frame-src 'none'

6. Don’t trust any user input.

7. Secure your cookies.

  • HttpOnly
  • Secure
  • SameSite=Strict (or at least Lax, this is default now in modern browsers, but it is better to be strict about it for all users).
  • Max-Age=<appropriate-duration-in-days-not-years>

8. Use CORS in a secure way.

9. Don’t use sensitive or personal information as URL parameter values.

10. Don’t forget to protect WebSockets, SSE/EventSource endpoints.

11. Don’t rely on robots.txt.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store