Web security best practices
A short overview of web security best practices for public web applications.
Web security check list
The following checklist can be used as baseline for web security.
- Use a Content-Security-Policy with report uri
- Use Subresource Integrity for external resources
- All Ports must be closed for the internet except
- All requests to port
80must redirect to port
- Use HTTPS only for all web traffic
- Sent security related HTTPS response headers, verify with securityheaders.com
- Use whitelist of headers, permit only headers defined on the white list.
- Use Google Search Console to receive security-related alerts from Google once they detect them.
- SSL Labs should rate domain with score ‘A’
- Verify against the OWASP Top Ten regularly.
- Check regularly, in an automated way, for vulnerabilities of third-party libraries, using ossindex.sonatype.org integrations.
Web security links
- Web security fundamentals by Google to learn more about web security.
- Web security tools useful tools to analyse security of existing web applications.
Have some remarks, or need help implementing security? Get in touch by sending an email to firstname.lastname@example.org