I'm not new to security, and that's why I ask. I have created a "payment portal" integrated with Stripe for my [few] customers. I have gone through various guides for securing debian, apache/node, mysql on dedicated instance, etc., using https only, ssl certs, passed Qualys HTTPS/SSL scan with a 90%/A Rating, performed qualys and other vulnerability scans...but have I done enough? I'm not storing credit card info, but am storing username, passwords, and basic stats. I also developed the portal with security in mind taking CORS, SQL-Injection, and other tactics into account.<p>I know security is and should be considered at every layer, but when is there a reasonable amount of security when security is not my primary focus?
I don't know about 'best practices', but I know of a nice app that's less resource intensive than 'fail2ban':
<a href="https://github.com/sofar/tallow" rel="nofollow">https://github.com/sofar/tallow</a>
Since my main concern about security is cardholder data leaks I looked into what it takes to become PCI-compliant <a href="https://www.pcisecuritystandards.org/merchants/self_assessment_form.php" rel="nofollow">https://www.pcisecuritystandards.org/merchants/self_assessme...</a>, not that PCI-Compliance is the be-all end-all of web security.