[hawe]

Some ideas for a general strategy: * Check TLS/SSL https://www.ssllabs.com/ssltest/ * Use Https, HSTS * Have a security response page if someone found a problem * What to do if your application was compromised, be prepared for the worst * Check and update your software regularly * Review changes in your software regularly if it impacts your overall security strategy * Keep a security checklist in your codebase * Do your own code audits, just read it again after a few days and ask the right questions * Remove all credentials from your codebase * Read about the "new" security headers here: https://github.com/twitter/secureheaders * Know what kind of/how many requests your API/web app gets, maybe throttle or block some