Guidelines

Passwords

• All passwords should be stored in 1Password.
• All passwords should be unique, no password may be reused.
• Two-factor authentication (via 1Password preferably) should always be used if a service provides that.

GitHub

• All commits should be signed. Here are the steps to set it up using 1Password.

Applications

• All HTTP traffic should be sent over SSL.
• All forms should use a CSRF token to prevent cross site.
• Routes performing a significant action (delete, update, …) should use the appropriate HTTP method (DELETE, POST, PUT - not GET).
• When a site uses authorization/authentication, automated tests should be added to test only authorized users can use certain functionality.

Databases

• All stored passwords should be hashed.
• All API keys stored in the database should be encrypted.
• A separate database user should be used for every database, preferably with relevant read/write permissions.
• Ideally the database is only accessible from whitelisted hosts (from the webserver and developers).

Servers

• Should use the latest versions of NGINX, PHP, Ubuntu, etc…
• Should use SSH with private key authentication, password authentication is disabled.
• unattended-upgrades package should be installed and enabled for security updates.
• Firewall should be configured to only allow relevant traffic (generally ports 22 and 443).

Various

• Do not install any pirated software on your Mac or phone.
• Do not use public searchable services like Pastebin or gist to share sensitive code or data.