I think one of the things that’s often forgotten about securing your app is limiting it’s URL surface area.
For example, if you visit the IP address of your server, does the app load? What about the staging URL?
If you’re on Apache, a quick htaccess conditionals with an enviroment variable will fix this issue. If you’re on Nginx, the same thing applies.
I think even on marketing sites this is a relatively important thing. For example:
This site is built with Gatsby on Netlify. Netlify’s Redirect Rules are fairly straight forward. You have to put a _redirects file in the root of your published director.
I do this by putting a
_redirects file in the root of my repo. And then changing my
npm build script to look like this:
gatsby build --prefix-paths && cp ./_redirects ./public.
Then, inside my
_redirects file, I put this content:
http://priceless-ardinghelli-0ef69f.netlify.com/* https://tylerzey.com/:splat 301!
https://priceless-ardinghelli-0ef69f.netlify.com/* https://tylerzey.com/:splat 301!
http://www.tylerzey.com/* https://tylerzey.com/:splat 301!
https://www.tylerzey.com/* https://tylerzey.com/:splat 301!
http://tylerzey.com/* https://tylerzey.com/:splat 301!
It’s a small thing. But, limiting public access to one endpoint is a good practice to get into.
I’m a really big fan of Cloudflare as they provide a ton of security out of the box. However, I’d expect majority of their customer’s still have a non-cloudflare protected staging url, dev url, or ip-address that is publically available.
This essentially voids all security provided by them.