When starting a new project, it is best to do the following security related items as soon as possible, otherwise it will be terribly difficult to add at a later stage.
- Disable unsecured HTTP bindings as soon as possible. Only transact with HTTPS.
- Enable HSTS as soon as possible.
- Disable insecure ciphers for the web server and application.
- Integrate with a commercial STS that has protection against brute force attacks. Do not store the user information yourself unless you know what you are doing. If you are doing the user management yourself there is so much more to worry about. Password hashing, account locking, forget password mechanism…
- Enabled secure cookies. Do not allow cookies to be transmitted over a insecure connection.
- Do not store sensitive information if possible. If you do make sure to encrypt or hash all the data with a industry standard method. See GDPR
- Disable unauthenticated access to all resources within the application. No exception. Exception means it goes into a different project.
- Implement a tamper proof URL rewrite module.
- Use a dedicated data layer or tier within the application that utilizes a ORM for ALL database transactions to protect against SQL injection.
- Implement reference tokens and a security token cache to detect token replays.
Sneaking in 2 more..
- Implement short session timeouts to protect against session hijacking.
- Do not disclose technical information of the application.
– Add static custom error pages. Do not expose stack traces. Static – cause even a dynamic error page can have an error…
– Disable metadata output of services
– Remove headers that identify the host type.