SecurityJuly 04, 20267 min
Web Security: Complete Checklist for Businesses
Web security involves multiple layers — from HTTP headers to API authentication. This checklist covers the essential points to protect web applications in production.
Security headers
Configure HTTP headers to protect against common attacks: - **Content-Security-Policy:** Prevents XSS by defining allowed sources - **X-Frame-Options:** SAMEORIGIN prevents clickjacking - **X-Content-Type-Options:** nosniff prevents MIME sniffing - **Strict-Transport-Security:** forces HTTPS - **Referrer-Policy:** controls referrer information
Authentication and authorization
Use robust authentication: MFA when possible, strong passwords, rate limiting on login attempts. Implement role-based access control (RBAC) to manage functionality access. Store passwords with bcrypt or Argon2. Never in plain text or MD5/SHA1.
Injection protection
SQL Injection, XSS and Command Injection remain among the most common vulnerabilities. Use parameterized queries, escape output and validate input.
Dependencies and patches
Keep dependencies updated. Use tools like npm audit, Snyk or Dependabot to identify vulnerabilities in packages. Define process to apply security patches quickly — 48h window for critical vulnerabilities.
HTTPS and TLS
Force HTTPS on all pages. Use Let's Encrypt for free certificates. Configure TLS 1.2+ and secure cipher suites. HTTP → HTTPS redirect should be done at the server level (Nginx/Apache) before reaching the application.
Conclusion
Web security is a continuous responsibility. Review this checklist periodically and adapt to your application's reality. Companies that need web security assessments can rely on specialized consulting.
Related service
Kodden applies hardening on servers and web services to reduce attack surface.
View Security and Hardening service