Ask HN: How to secure a website?

[devcheese]

So I'm new to deploying apps to production, I'm curious of everything I need to do to make a website secure. As of now, I only know to setup SSL, I imagine there is more beyond that.

[rmdoss]

SSL doesn't have much to do with securing your website. If you are worrying about security, I would recommend to try to find solutions to solve the:

-integrity -availability and -confidentiality

Of your server and app. For integrity, look for file integrity monitors (OSSEC is a good open source project that does that).

For availability: load balancers, ddos protection, auto scaling are all things to look for. Products like CloudFlare and Sucuri can do it in the cloud for you automatically.

For confidentiality, try isolating your server, setting up firewalls to deny all by default, restricting access, keeping it updated, etc.

thanks,

[mtmail]

http://guides.rubyonrails.org/security.html is a good introduction for webapps written in Ruby/Rails and their countermeasures.

It's better to ask the same question on a <insert your programming language> forum or StackOverflow as most frameworks have countermeasures or configuration options included (salting password, inspecting HTTP headers, preventing SQL injection).

[sumodirjo]

Using Cloudflare / Sucuri in front of your website won't hurt

[tmaly]

lockdown all ports except 22, 80, and 443 with iptables.

setup a fail2ban to update iptable rules to detect repeated hack attempts and ban their ip address.