Ask HN: How do you handle security for your website(s)?

pov of sysadmin:<p>- reverse proxy to backend webserver<p>- run checks on each request on the reverse proxy<p>- close all ports except what needs to be open<p>- only allow access to what needs to be seen<p>- perform frequent security updates (script it, automate it, run it hourly)<p>- never install more software then strictly required<p>- never allow SSH directly to your public address<p>- for ssh, use custom ports, cert (4096b) with passwords<p>- install logwatch or something else that will inform you about logs (elk stack)<p>- automate checks in logs for tell-tale signs of scriptkiddies (attempted access to &#x2F;wp-admin or phpmyadmin for example) =&gt; automate adding source IP&#x27;s to firewalls<p>- frequently check for malicious code (clamav, rkhunter, ...)<p>- only use stable and tested software<p>- only use stable and tested OS (Centos&#x2F;redhat. DO NOT run production on anything else, especially ubuntu.)<p>- do not use ubuntu for production. it is not suited.<p>- install failtoban<p>from dev pov:<p>- implement measures to prevent sql injection<p>- don&#x27;t require production to install dev libraries<p>- don&#x27;t require production to install packages only available on ubuntu<p>- log strange behaviour to a file, make sure actions can be automated (iptable drop)<p>I&#x27;m no dev, but those are things I&#x27;d like dev&#x27;s to do with their software.

Not all WWW sites are corporate, of course. My personal WWW site ...<p>... is not an API. There&#x27;s no authentication, cookies, transactions, client-side scripts, or PHP. No dynamic content is generated in response to HTTP requests. It is rather generated in response to back-end events, such as pushing a new version of a package into the package repository, which cause reconstruction of the content with redo, a simple rebuild tool. So the server software itself is a simple static HTTP server. It&#x27;s a slightly improved version of Daniel J. Bernstein&#x27;s publicfile, in fact.<p>... does not put server logs, server scripts, or anything else like those in the content tree. The only things in the content tree are content files and directories. Indeed, the content server daemon runs as one user and its logger daemon runs as another, which owns the log files with only access to their owner.<p>... has strictly size-capped, auto-rotated, logs with the log writer doing the rotation. There&#x27;s no logrotate window of opportunity for exceeding the log size. (<a href="http:&#x2F;&#x2F;jdebp.eu.&#x2F;FGA&#x2F;do-not-use-logrotate.html" rel="nofollow">http:&#x2F;&#x2F;jdebp.eu.&#x2F;FGA&#x2F;do-not-use-logrotate.html</a>) The logs are also completely independent from other non-server logs.<p>... runs on a dedicated machine that does not have other, non-public, services. There&#x27;s no unnecessary MySQL server running on it, for example. Nor a mail system.<p>... is also mirrored over FTP and GOPHER. The FTP server is again an improved version of Daniel J. Bernstein&#x27;s publicfile, and the GOPHER server is my addition to the same. They don&#x27;t implement non-anonymous FTP, FTP uploads or filesystem modifications of any sort, or GOPHER searches, and work from (solely) the same content tree as the HTTP server. The GOPHER menus are built by the content rebuild subsystem, not by the GOPHER server.

Simple. Static HTML.

This is not what you are looking for, but this is a great checklist to make sure your site is secured. <a href="https:&#x2F;&#x2F;github.com&#x2F;FallibleInc&#x2F;security-guide-for-developers&#x2F;blob&#x2F;master&#x2F;security-checklist.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;FallibleInc&#x2F;security-guide-for-developers...</a>

- Transparency is a dependency of trust; if it&#x27;s not transparent (e.g. open source), then it&#x27;s not trustworthy, full stop<p>- Read the latest NIST guidelines on software security; whether or not you trust the U.S. government (you shouldn&#x27;t), NIST still has very solid security advice, and a lot of the rest of the stuff in this list is derived from NIST guidelines<p>- Establish a mandatory security policy for your website&#x2F;organization<p>- Make regular backups, and store them on a separate server; test your backups regularly (e.g. by restoring them to a staging&#x2F;test server identical to production)<p>- Stream log entries (or routinely back up log files) to a separate server<p>- Don&#x27;t use Windows<p>- Don&#x27;t use (non-LTS) Ubuntu, Fedora, Arch, or any other Linux distro which prioritizes the &quot;latest-and-greatest&quot; features over stability; prefer more stable distros like (open)SUSE, RHEL&#x2F;CentOS, Debian, or an LTS release of Ubuntu (though I&#x27;d personally wait a year or so after an LTS Ubuntu release or an openSUSE release to give Canonical&#x2F;SUSE (respectively) time to shake out the inevitable bugs)<p>- Never install software unless it&#x27;s absolutely necessary<p>- Never install software from untrusted sources<p>- Never allow the use of passwords for SSH logins; <i>always</i> use key-based authentication (or disable SSH entirely)<p>- Never try to roll your own authentication unless you really know what you&#x27;re doing (or you <i>really</i> want to learn what it takes and have no interest in using it in production) and it&#x27;s absolutely necessary; 99 times out of 100, there&#x27;s a library for your language that already does it with a much more comprehensive threat model than the one you&#x27;re envisioning (and in the remaining 1 in 100 cases, there are at least plenty of smaller libraries that handle individual components of an authentication system)<p>- If you do roll your own authentication, at least try to use something like OAuth via an existing identity provider so that you don&#x27;t have to store credentials (and that so that you can lean on that provider&#x27;s expertise)<p>- If you do roll your own authentication <i>and</i> your own credential storage, make sure all passwords are hashed (SHA2 at minimum) with per-password-unique salts<p>- If you do roll your own authentication, play it safe and force the use of HTTPS site-wide<p>- If you do roll your own authentication <i>and</i> your own credential storage, try to provide some kind of multi-factor authentication, preferably one compatible with Google Authenticator; no, security questions don&#x27;t count<p>- If you do roll your own authentication <i>and</i> your own credential storage, allow and encourage users to use long passphrases<p>- If you do roll your own authentication <i>and</i> your own credential storage, don&#x27;t force users to reset their passwords every $NUM days; only force a reset if there&#x27;s reason to believe that the user&#x27;s account is compromised<p>- If you do roll your own authentication <i>and</i> your own credential storage, don&#x27;t require users to include certain character classes in their passwords<p>- Have it in writing that nobody working on behalf of your website will ever ask users for their passwords<p>- You can&#x27;t have a data breach if you don&#x27;t have any data; only store sensitive user data if you absolutely know for sure that you need it (hint: if it&#x27;s for &quot;analytics&quot; or ads, then you don&#x27;t need it)<p>- If you do need to store sensitive data, ensure that it is encrypted (most full-featured SQL databases support encryption at various levels of granularity; for NoSQL databases or non-full-featured SQL databases, you&#x27;ll want to make sure data is only sent to the database in an encrypted state)<p>- If you do need to store sensitive data, play it safe and force the use of HTTPS site-wide<p>- Hell, might as well just force HTTPS no matter what; it ain&#x27;t like TLS certs are expensive (thank you, Let&#x27;s Encrypt!)<p>- Routinely audit things like GitHub&#x2F;Bitbucket&#x2F;GitLab&#x2F;$SOURCE_CODE_HOSTING_SITE repositories, Slack channels, AWS&#x2F;Heroku&#x2F;$APPLICATION_HOSTING_PROVIDER accounts, etc. to ensure that only the people who should have access do have access<p>- Make sure all persons involved in developing and maintaining the site use long passphrases and multi-factor authentication wherever possible (most source code hosting sites and cloud providers offer 2FA, and quite a few - like AWS - can even enforce it on all your organization&#x27;s accounts)

These are great lists.<p>What about WAF (Web Application Firewalls)?