Chad Perrin explains in his blog why he felt necessary to approach the subject of security checklist. Because of the frequency of those poor security practices or “far-too-common security failures on Web sites and Web servers”, he saw the importance of gathering all these faults and giving the suitable solution.

So, the Web server administrators, Web developers, and Webmasters should take into consideration the following tips from his checklist:

1. Validate logins trough SSL encryption
The Web sites that use SSL (with https: URL schemes) after user authentication should stop their practice. The encrypting should occur after login, but much care not failing to encrypt logins. A bad guy can craft login form for accessing the same resource and private data.

2. Enforce server-side data validation
You can find JavaScript data validation included in some Web forms. A malicious security cracker, if he discovers that the validation includes a way to improve security, can accesses the resource at the other end of the Web page by creating his own craft form, without needing validation.

Also, by deactivating JavaScript in the browser or using a Web browser that doesn’t support JavaScript, the JavaScript form validation can be easily avoided. Make sure your Web site security doesn’t become a victim of client-side data validation: the end user can view page source or alter the form. The server-side validation is to be preferred.

3. Do not use clear text prototcols to manage your server
Use only encrypted protocols such as SSH to access secure resources and secure tools such as OpenSSH. Never use unencrypted FTP or HTTP for Web site or Web server management.

4. Deploy strong encryption:
The next generation for Web site encryption isn’t represented by the SSL (Secure Socket Layer) any longer. Say hello to TLS or Transport Layer Security. But whatever you chose, won’t limit your user base like proprietary platform-specific technologies do. Referring to back-end management, use the cross-platform-compatible strong encryption such as SSH rather than platform-specific with the weak Windows Remote Desktop.

5. Connect from a secured network
Try not to make the connection from networks with unknown or uncertain security characteristics. But if it is necessary for you to use an unsecured network, take care to use a secure proxy, utilizing an OpenSSH  or a PuTTY secure proxy.

6. Keep login credentials private
This principle is applicable to the Webmaster, Web server administrator and clients either. You can discover your login credentials are shared openly with people you don’t know and don’t want to know, becoming more difficult to establish an audit trail and to find the basis of a problem. For the same reason, the number of people involved in this action enlarges.

7. Use key-based authentication over password authentication
The first is preferable because copying the key to predefined, authorized systems, you will have a harder to crack, stronger authentication credential.

8. Maintain a secure workstation
Connecting to a secure resource without having the guarantee of the client system, can discover you are “supervised”. Despite all the networking protection, the malicious crackers can find a way to access sensitive data. If you want your workstation not to be compromised, the integrity auditing is recommended.

9. Use redundancy to protect the Web site
Have backup and server failover in order to keep maximum uptime. Because the server crashes and server shutdowns, the failover systems can decrease outages. The most important feature is that these duplicate servers maintain an up-to-date duplication of server configuration. In this way, your personal data are preserved, but secure them too. Regularly check them.

10. Implement security policies  which apply to all systems - not just those specific to Web security. Security is an on-going process and it should include all systems involved in the Web process.