 Implement the principle of least privilege: We ensure that all user have least amount of privilege necessary on the web server.

 Use multifactor authentication: We use multifactor authentication. Implement multifactor authentication for user logins to web applications and the underlying website infrastructure.

 Change default vendor usernames and passwords: Default vendor credentials are not secure—they are usually readily available on the internet. Changing default usernames and passwords will prevent an attack that leverages default credentials.

 Disable unnecessary accounts: Disable accounts that are no longer necessary, such as guest accounts or individual user accounts that are no longer in use.

 DecUse security checklists: Audit and harden configurations based on security checklists specific to each application (e.g., Apache, MySQL) on the system.

 Use application whitelisting: Use application whitelisting and disable modules or features that provide capabilities that are not necessary for business needs.

 Use network segmentation and segregation: Network segmentation and segregation makes it more difficult for attackers to move laterally within connected networks. For example, placing the web server in a properly configured demilitarized zone (DMZ) limits the type of network traffic permitted between systems in the DMZ and systems in the internal corporate network.

 Know where your assets are: You must know where your assets are in order to protect them. For example, if you have data that does not need to be on the web server, we remove it to protect it from public access.

 Protect the assets on the web server: We protect assets on the web server with multiple layers of defense (e.g., limited user access, encryption at rest).

 Sanitize all user input: Sanitize user input, such as special characters and null characters, at both the client end and the server end. Sanitizing user input is especially critical when it is incorporated into scripts or structured query language statements.

 Increase resource availability: Configure your website caching to optimize resource availability. Optimizing your website’s resource availability increases the chance that your website will withstand unexpectedly high amounts of traffic during DoS attacks.

 Implement cross-site scripting (XSS) and cross-site request forgery (XSRF) protections: Protect your website system, as well as visitors to your website, by implementing XSS and XSRF protections.

 Implement a Content Security Policy (CSP): Website owners should also consider implementing a CSP. Implementing a CSP lessens the chances of an attacker successfully loading and running malicious JavaScript on the end user machine.

 Audit third-party code: Audit third-party services (e.g., ads, analytics) to validate that no unexpected code is being delivered to the end user. Website owners should weigh the pros and cons of vetting the third-party code and hosting it on the web server (as opposed to loading the code from the third party).

 Implement hypertext transfer protocol secure (HTTPS) and HTTP strict transport security (HSTS): Website visitors expect their privacy to be protected. To ensure communications between the website and user are encrypted, always enforce the use of HTTPS, and enforce the use of HSTS where possible.

 Implement additional security measures: Additional measures includes:
 Running static and dynamic security scans against the website code and system.
 Deploying web application firewalls.
 Leveraging content delivery networks to protect against malicious web traffic, and providing load balancing and resilience against high amounts of traffic.

 Practice healthy cyber hygiene:
 Patch systems at all levels—from web applications and backend database applications, to operating systems and hypervisors.
 Perform routine backups, and test disaster recovery scenarios.
 Configure extended logging and send the logs to a centralized log server.