|
|
|
|
|
|
by wilburlo
4102 days ago
|
|
|
It's hard maintaining great security because, security and speed are usually in direct opposition. In terms of hardware/OS:
Turn off everything incoming except for HTTPS, SSH, and ping (optional).
Make sure everyone uses SSH keys (no passwords) In terms of programming, focus on security roles is tricky at first. So you want to be careful in describing how user roles or user permissions work in your site. Create a staging server with test data that mimics your production site (nearly exactly). Any penetration company company will ask you to sign a "This won't hurt anything", when smashing up your server. Another place to focus is how backups are copied, who can access the data, etc.. This is a really big topic. Your insurance company when you apply will have an excellent check list. |
|
|
OP mentioned using AWS, in which case Amazon's built-in "Security Groups" feature can be used for restricting access to the instance by port or possibly by protocol. Naturally, however, one would not want any dangerous outbound traffic, such as unencrypted/unauthenticated automatic updates, so there also is merit in controlling which services and programs are running.