

Ask HN: How secure should my site/server be? - k0

I&#x27;m not new to security, and that&#x27;s why I ask.  I have created a &quot;payment portal&quot; integrated with Stripe for my [few] customers.  I have gone through various guides for securing debian, apache&#x2F;node, mysql on dedicated instance, etc., using https only, ssl certs, passed Qualys HTTPS&#x2F;SSL scan with a 90%&#x2F;A Rating, performed qualys and other vulnerability scans...but have I done enough?  I&#x27;m not storing credit card info, but am storing username, passwords, and basic stats.  I also developed the portal with security in mind taking CORS, SQL-Injection, and other tactics into account.<p>I know security is and should be considered at every layer, but when is there a reasonable amount of security when security is not my primary focus?
======
cdvonstinkpot
I don't know about 'best practices', but I know of a nice app that's less
resource intensive than 'fail2ban':
[https://github.com/sofar/tallow](https://github.com/sofar/tallow)

~~~
k0
Thanks for the link.

------
k0
Since my main concern about security is cardholder data leaks I looked into
what it takes to become PCI-compliant
[https://www.pcisecuritystandards.org/merchants/self_assessme...](https://www.pcisecuritystandards.org/merchants/self_assessment_form.php),
not that PCI-Compliance is the be-all end-all of web security.

