Website Security Hardening

HTTPS encrypts all data between the browser and server. Without it, credentials, form data, and sessions are exposed in plaintext on the network.

• Install an SSL/TLS certificate (Let's Encrypt is free)
• Force redirect all HTTP traffic to HTTPS (301 redirect)
• Enable HSTS to prevent protocol downgrade attacks
• Never run production without HTTPS — ever

server {
  listen 80;
  return 301 https://$host$request_uri;
}
server {
  listen 443 ssl;
  add_header Strict-Transport-Security "max-age=31536000" always;
}

Your hosting environment is the foundation. A misconfigured server exposes you to privilege escalation, unauthorized access, and data breaches.

• Prefer managed platforms: Vercel, Netlify, or GitHub Pages for static sites
• Keep all server software, OS packages, and runtimes updated
• Disable unused ports — only expose 80 and 443
• Enable UFW or provider firewall with strict allow rules
• Disable root SSH login; use key-based authentication only

Every input field is a potential attack surface. Unvalidated inputs are the root cause of XSS, SQL injection, and command injection attacks.

• Validate all inputs server-side — never trust the frontend alone
• Sanitize inputs to strip HTML tags and special characters
• Use parameterized queries for all database operations
• Implement Content Security Policy (CSP) to block inline scripts

Default admin routes are the first thing attackers scan for. Exposed dashboards with weak credentials are compromised within hours of going live.

• Use strong, unique passwords (20+ characters, password manager)
• Enable Two-Factor Authentication (2FA) on all admin accounts
• Rename default routes — never use /admin or /wp-admin
• Restrict admin access by IP allowlist where possible
• Implement account lockout after failed login attempts

Leaked API keys and secrets are one of the most common causes of data breaches. Thousands of credentials are exposed on GitHub every day.

• Never hardcode API keys, passwords, or tokens in source code
• Store all secrets in .env files — never commit them
• Add .env to .gitignore before your first commit
• Use platform secret managers (GitHub Secrets, Vercel Env Vars)
• Rotate any key that was accidentally exposed immediately

.env
.env.local
.env.production
*.key
secrets/

HTTP security headers instruct browsers to enforce security policies that block entire classes of attacks.

Without rate limiting, attackers can brute-force login forms, spam contact forms, and overwhelm APIs with thousands of requests per second.

• Limit requests per IP — e.g., 10 requests/minute on forms
• Add exponential backoff for repeated failed attempts
• Use CAPTCHA (hCaptcha / Cloudflare Turnstile) on public forms
• Cloudflare WAF handles rate limiting automatically at the edge

Cloudflare sits between your visitors and your server, filtering malicious traffic before it ever reaches you. Free and takes 10 minutes to set up.

Your repository is part of your attack surface. Leaked secrets in commit history are permanent and found by automated scanners within minutes.

• Never commit API keys, passwords, or tokens — use GitHub Secrets
• Set up .gitignore before your first commit
• Enable GitHub secret scanning on your repository
• Review all dependencies before installing — check for typosquatting

Outdated dependencies are a leading cause of supply chain attacks. A single vulnerable package can compromise your entire application.

• Run npm audit regularly to find known vulnerabilities
• Enable Dependabot on GitHub for automated security PRs
• Remove unused packages — every dependency is a risk

npm audit
npm audit fix
npm outdated

You can't defend what you can't see. Logging and monitoring give you visibility into attacks in progress and forensic data after an incident.

• Enable access logs on your web server or hosting platform
• Monitor for suspicious patterns: 404 spikes, repeated POST requests
• Track failed login attempts and alert on thresholds
• Use Cloudflare Analytics for edge-level traffic visibility
• Set up uptime monitoring (UptimeRobot is free)

Backups are your last line of defense. Ransomware, accidental deletion, and server failures happen — without backups, recovery is impossible.

• Schedule regular automated backups (daily for active sites)
• Store backups separately from the main server (3-2-1 rule)
• Test your restore process — a backup you can't restore is useless
• For static sites: your Git repository IS your backup — keep it clean