[mycentstoo]

A few infrastructure things:

- Serve traffic behind a load balancer that has a WAF

- Network segregation for database (separate subnets)

- Make sure you serve https and have a cert that’s valid. Redirect to https if http

- Restrict ports on LB

At some point later:

- Endpoint monitoring and threat detection

- VPC flow logging

- Execute backend as non root

- Dependency / artifact scanning

- Cloud SIEM to monitor common actions taken

- Make sure no hard coded creds. Ie, use role-base auth with cloud providers

- Reproducible infrastructure builds with infra as code

- Email domain protection

- Grab misspellings of domain names to prevent squatting

[swyx]

> Serve traffic behind a load balancer that has a WAF

whats the cheapest non aws way to do this? cloudflare on everything? is there another option? just trying to learn whats out there. WAF mainly protects against ddos right?

[KronisLV]

> is there another option? just trying to learn whats out there.

The cheapest option would be self-hosting something ModSecurity compatible: https://en.wikipedia.org/wiki/ModSecurity

You'd also need a ruleset, for which the OWASP one might be a starting point: https://owasp.org/www-project-modsecurity-core-rule-set/

There are also some projects like Coraza in the works: https://coraza.io/

Probably not what you're looking for if you want a cloud service to take care of everything for you, though, because of the question below (just thought that it might be useful to point out that anyone can run their own WAF if need be).

> WAF mainly protects against ddos right?

Typically WAF might be offered as a part of a larger cloud service that would include DDoS protection.

However, on its own, it is meant to filter traffic that might be harmful and attempt to exploit various vulnerabilities. A bit like an anti-virus in a sense, but for web requests. Some people argue that WAF solutions can be problematic because they encourage an attitude of "so what if there's a log4j vulnerability in the codebase, the WAF will take care of it" instead of making sure that the actual code is secure, but opinions are split there (defense in depth and the Swiss cheese model).

[swyx]

lovely answer, thanks so much! hope others learn too.

[fsloth]

Is there some plug’n’play vendor that would offer most of these out of the box (like Netlify etc)?

[starwatch]

GP has some good suggestions. For implementation of these, Cloudflare is a decent first stop - though they are a little hostile to non-vanilla internet users. Their free plan offers sensible security (SSL termination, WAF, DDOS protection) out of the box, with a straight forward UI.

Network segregation for database (separate subnets) would be a config option wherever you're hosting (AWS/Google Cloud/etc.) said database/application.

[g4zj]

> Serve traffic behind a load balancer that has a WAF

What is a WAF?

[samtho]

Web Application Firewall.

It’s a feature of an LB that consolidates the actions of blocking ports except for the ones you are using, fail-fast on paths that scrapers tend to check (e.g. /wp-admin, /phpMyAdmin) so it doesn’t end up in normal request logging, set rate limits, fail-to-ban conditions, etc.

[blipvert]

Has anyone had any luck with Coraza on HAProxy?

[NomDePlum]

Web application firewall: https://en.m.wikipedia.org/wiki/Web_application_firewall

[d3m0t3p]

Web application firewall