Production checklist (megatask)
As per ACSC Guidelines for Software Development:
Development and modification of software only takes place in development environments
(No config changes/development on production)
Application on production:
-
Disable/restrict super admin user -
Disable development-only or debugging features -
Configure production environment to prevent any code modification -
Configure logging of any configuration modification
Production environment:
-
Restrict detailed debug or error messages -
Syslog should be used for all logging (not database) -
Configure centralised logs collection and alerting mechanism -
Restrict access to file system -
Enable SSL/HTTPS -
Configure CDN -
Setup uptime, resources, traffic monitoring -
TODO: add more items to this list as required
Refs:
- ACSC: https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/web-hardening/securing-content-management-systems
- OWASP: WSTG-INFO-08: Fingerprint Web Application Framework: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework
Edited by Janna