Minding the shopfront¶

A web server is the part of the infrastructure most exposed to view, and the part most often probed. The stack and failures pages cover how the browser-facing controls fit together; these are the procedures to put them in place and confirm they hold.

They start with the information a server gives away for free, move through the security headers that tell the browser what to enforce, add the protective modules that filter bad requests, and end with the logging and the header check that confirm the rest actually took effect.

Information exposure

Hide web server information
Disable directory listing

Security headers

Enforce HTTPS with HSTS
Set a Content Security Policy
Prevent clickjacking with frame controls
Harden cookie attributes
Configure CORS safely

Protective modules

Web application firewall with ModSecurity
Rate limiting with ModEvasive

Logging and verification

Enable web server logging
Check HTTP security headers