Created 24 August 2017 20:03, updated 02 July 2018 20:59
Creating a web site is simple, but there are a lot of basic items to consider that are easy to forget but will trip you up in the lifetime of the web site. These lists should be revisited regularly.
For your site as a whole
- While sitemaps are not as important as they used to be, if you have a complex site heirarchy or some pages are perhaps hidden behind posted forms, it may help your SEO to include a sitemap (sitemap.xml)
- X-Frame-Options header
- If possible, serve everything over HTTPS (https://httpsiseasy.com/)
- Implement HSTS: https://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx
- Ensure all passwords are hashed, and allow users to reset passwords by send them an email
- Error messages should be caught at a global level - don't reveal sensitive information when an error occurs
- Create an appropriate robots.txt
- Scan your site using http://www.webpagetest.org
- Scan your site using https://securityheaders.io/
- Run your site through https://asafaweb.com (particularly if your site is ASP.NET)
- Run your site through https://gtmetrix.com/
- Optimize your images: https://pnggauntlet.com/
For every page
- Version numbers on CSS and JS include files - this will prevent new deploys from going wrong because users have cached copies of old files on their machines e.g. Myfile.js?version=1.0.4
- SQL Injection attacks - have you parameterised all your queries? Dapper, maybe?
- CSRF/XSRF Vulnerabilities - every page on your site (apart from the login screen) should compare the value of a form item AND a cookie to ensure they are the same cyrptographically secure number, otherwise authentication fails. For ASP.NET users, use the anti-forgery token.
- Don't send any sensitive information over email e.g. passwords
- Can the parameters be tampered with to reveal data the user should not be able to get to?