{"id":102057,"date":"2019-04-16T14:51:24","date_gmt":"2019-04-16T14:51:24","guid":{"rendered":"https:\/\/www.internetsociety.org\/?post_type=resources&#038;p=102057"},"modified":"2025-11-25T17:25:01","modified_gmt":"2025-11-25T17:25:01","slug":"best-practices-infrastructure-security","status":"publish","type":"resources","link":"https:\/\/www.internetsociety.org\/resources\/ota\/2019\/best-practices-infrastructure-security\/","title":{"rendered":"Best Practices: Infrastructure Security"},"content":{"rendered":"<ol>\n<li>Optimize <a href=\"https:\/\/www.internetsociety.org\/resources\/ota\/2017\/transport-layered-security-tls-for-email\/\">TLS<\/a> implementation using information gleaned from public tools. This includes eliminating use of insecure ciphers and older, insecure protocols as well as vulnerabilities to the POODLE and ROBOT exploits.<\/li>\n<li>Implement content security policy and associated headers for third-party content used on the site. This can prevent vulnerabilities introduced by outside content.<\/li>\n<li>Review capabilities of certificate authorities to ensure that they meet your support requirements. Use <a href=\"https:\/\/www.internetsociety.org\/resources\/ota\/2017\/extended-validation-certificates-evssl\/\">EV SSL certificates<\/a> for classes of sites that are frequently spoofed and where users need to be assured they are visiting and browsing a legitimate site.<\/li>\n<li>Implement Certification Authority Authorization (CAA) to prevent issuance of unauthorized certificates.<\/li>\n<li>Implement <a href=\"https:\/\/www.internetsociety.org\/resources\/ota\/2017\/always-on-ssl-aossl\/\">HTTP Strict Transport Security (HSTS), also referred to as Always on SSL (AOSSL) or HTTPS everywhere<\/a>, on all pages to maximize data security and online privacy. HSTS helps ensure that all data exchanged between the site and device is encrypted.<\/li>\n<li>Implement a Web Application Firewall to monitor HTTP conversations and block common attacks such as cross-site scripting (XSS) and SQL injections.<\/li>\n<li>Proactively scan sites for malicious links, iFrame exploits, malware and malvertising.<\/li>\n<li>Implement <a href=\"https:\/\/www.internetsociety.org\/resources\/ota\/2017\/botnets\/\">bot<\/a> detection and mitigation to help prevent brute force attacks, web scraping, account hijacking, unauthorized vulnerability scans, spam, and man-in-the-middle attacks.<\/li>\n<li>Provide a discoverable and accessible vulnerability reporting mechanism for site visitors and third parties to report vulnerabilities.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Optimize TLS implementation using information gleaned from public tools. This includes eliminating use of insecure ciphers and older, insecure protocols as well as vulnerabilities to the POODLE and ROBOT exploits. Implement content security policy and associated headers for third-party content used on the site. This can prevent vulnerabilities introduced by outside content. Review capabilities of [&hellip;]<\/p>\n","protected":false},"author":819,"featured_media":0,"template":"","categories":[6147,51,92,103,4898,4738,102],"tags":[4762,4767,3785,234,6211],"region_news_regions":[5931],"content_category":[6090],"ppma_author":[4083],"class_list":["post-102057","resources","type-resources","status-publish","hentry","category-how-the-internet-works","category-security","category-deploy360","category-open-internet-standards","category-strong-internet","category-security-1","category-tls","tag-best-practices","tag-infrastructure","tag-online-trust-alliance","tag-ota","tag-tls","region_news_regions-global","resource_types-ota","content_category-resources-type"],"acf":[],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"post-thumbnail":false,"square":false,"gform-image-choice-sm":false,"gform-image-choice-md":false,"gform-image-choice-lg":false},"uagb_author_info":{"display_name":"Megan Kruse","author_link":"https:\/\/www.internetsociety.org\/author\/kruse\/"},"uagb_comment_info":0,"uagb_excerpt":"Optimize TLS implementation using information gleaned from public tools. This includes eliminating use of insecure ciphers and older, insecure protocols as well as vulnerabilities to the POODLE and ROBOT exploits. Implement content security policy and associated headers for third-party content used on the site. This can prevent vulnerabilities introduced by outside content. Review capabilities of&hellip;","_links":{"self":[{"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/resources\/102057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/resources"}],"about":[{"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/types\/resources"}],"author":[{"embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/users\/819"}],"wp:attachment":[{"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/media?parent=102057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/categories?post=102057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/tags?post=102057"},{"taxonomy":"region_news_regions","embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/region_news_regions?post=102057"},{"taxonomy":"content_category","embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/content_category?post=102057"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/ppma_author?post=102057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}