Website Security Cheat Sheet

Authoress: Kateryna Ivanenko, Brand Manager (Invicti & Acunetix) at CoreWin

The article provides a website security cheat sheet – a compact and practical guide covering core best practices for web applications protection.

1. Server & Hosting Security

• Using HTTPS for all pages (HSTS (HTTP Strict Transport Security) recommended).
• Keeping server OS and software up-to-date.
• Restricting access via firewalls, IP whitelisting, and SSH key authentication.
• Disabling unnecessary services and ports.

2. Authentication & Access Control

• Enforcing strong password policies.
• Implementing multifactor authentication.
• Using OAuth 2.0 or OpenID Connect for third-party authentication, ensuring proper token validation and secure redirect handling.
• Preventing brute force attacks with rate-limiting and account lockouts.
• Setting session timeouts and using secure cookie flags (HttpOnly, Secure, SameSite=Lax or Strict) to prevent theft or misuse.

3. Preventing Common Attacks

• Sanitizing all user input.
• Escaping or encoding output based on its context (HTML, JavaScript, CSS, URL, etc.) to prevent injection vulnerabilities.
• XSS (Cross-Site Scripting): context-aware output encoding and enabling Content Security Policy (CSP) headers.
• SQL Injection: using parameterized queries (prepared statements) and secure ORM frameworks.
• CSRF (Cross-Site Request Forgery): using anti-CSRF tokens and setting SameSite cookie attributes (Lax or Strict).
• Directory traversal: validating file paths, restricting to safe directories, and avoiding direct use of user-supplied paths.
• Command injection: never passing user input directly to system commands.

4. Secure File Handling

• Validating file and MIME (media) types.
• Using randomized and sanitized filenames.
• Storing uploaded files outside the web-accessible directory to prevent direct access.
• Setting strict file permissions (e.g., 0644) and removing execute permissions on uploaded files.
• Limiting file size.

5. Secure Configuration & Secrets

• Avoiding hardcoding API keys, passwords, or credentials in source code to prevent accidental exposure.
• Using secure storage for secrets.
• Removing debug code and verbose error messages in production.

6. Headers & Content Security

• Setting strong security headers:

Content-Security-Policy
Strict-Transport-Security
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: no-referrer

• Disabling unnecessary browser features with Permissions-Policy.

7. Monitoring & Logging

• Logging login attempts, changes, and errors while ensuring that sensitive data is not captured in the logs.
• Using WAFs (Web Application Firewalls).
• Monitoring for file changes, traffic anomalies, and intrusion attempts.

8. Security Testing & Remediation

• Performing regular security testing with DAST tools, such as Invicti (formerly Netsparker), and SAST solutions like Mend.io. If you would like to test these solutions for free, you can reach out to us in a way convenient for you.
• Using dependency checking tools like Mend.io.
• Remediating issues in a timely manner.

9. Secure Software Development Lifecycle (SDLC)

• Considering security on early stages.
• Adopting secure coding guidelines.
• Building DevSecOps pipelines with automated security scans.

This way, teams can improve security posture of the company’s websites and make sure they are resistant in the modern threat landscape.