Web security best practices

A short overview of web security best practices for public web applications.

Web security check list

The following checklist can be used as baseline for web security.

  • Use a Content-Security-Policy with report uri
  • Use Subresource Integrity for external resources
  • All Ports must be closed for the internet except 443 and 80
  • All requests to port 80 must redirect to port 443
  • Use HTTPS only for all web traffic
  • Sent security related HTTPS response headers, verify with securityheaders.com
  • Use whitelist of headers, permit only headers defined on the white list.
  • Use Google Search Console to receive security-related alerts from Google once they detect them.
  • SSL Labs should rate domain with score ‘A’
  • Verify against the OWASP Top Ten regularly.
  • Check regularly, in an automated way, for vulnerabilities of third-party libraries, using ossindex.sonatype.org integrations.

Contact

Have some remarks, or need help implementing security? Get in touch by sending an email to info@squins.com