Security checklist - designing a website

This is a design checklist – facts you should consider before you begin developing your website.

Security requirements

Check

Description

I know how critical security will be for the website (whether it is a blog, corporate website, e-shop, bank application, etc.).

I know if my website will need any special certifications (PCI, Safe Harbor, etc.).

I know which special requirements will be imposed on the website (custom authentication, premium sections, various types of administrators, etc.).

I have an idea about the number of users accessing the system, which roles the users will be grouped under, which sections of the website will be accessible only to authenticated users, and so on.

I know how large the scope of planned custom development will be.

I know if security issues will be addressed during the development phase (possibly with threat modeling) or after the website has been implemented.

Environment

Check

Description

I know what environment I will deploy my website to (private server, web hosting, or cloud).

I know the security restrictions of the live environment.

I know what settings I will have access to in the live environment (which IIS settings).

Xperience

Check

Description

I have mapped my security requirements to Xperience (for example, if you want to apply a password policy, then you know whether the default Xperience functionality suits your purposes).

I am familiar with all Xperience protections and I know how to utilize them.

I know which applications and services my website will need and which I can uninstall or disable.

I know how to use the Xperience API securely.

I have designed all custom authorization and authentication protections and I know how to implement them in Xperience.