

Ask HN:  How do you secure your preferred web or app stack? - SkyMarshal

Most web or app frameworks are not entirely secure out of the box.  Of the ones you know well and use regularly, what do you do to secure the default install/config?
======
mike-cardwell
First of all, run it under it's own dedicated uid to minimise the damage if it
does get compromised. Make it so that that uid doesn't have write access to
any of the web space, including the files making up that web application.
Stick a web application firewall in front of it, like mod_security for Apache.
Always keep it patched up to date, including any plugins. Make sure you follow
any relevant RSS based changelogs, blogs, mailing lists or Twitter streams etc
so you're informed of any security problems.

