I'm quite new to Drupal-8 and want to ensure that the security of my company's website is strong. Are there any tips on what settings to change in admin panel?
My company use Windows Server 2016 if this is useful.
There is webserver hardening , database hardening and site hardening and many other things. Since you asked very broad topic, first figure out what part you want focus on (if you on hosting plan or own your server etc).
Having said that , below are site security best practices.
https://www.drupal.org/security/secure-configuration
Code and configuration security
https://www.drupal.org/docs/security-in-drupal
Related
As a web hosting reseller i have a question: Pleks or cPanel
I mean, who is more secure ? With less hack vulnerabilities ? Some people tell me Plesk is more secure and with cPanel you have a lot of security breach.
Thank you.
I can tell you about Plesk, which is focused on security and provides a lot of solutions, such as ModSecurity, Fail2Ban, Security Advisor, out of the box to prevent your server, websites, mail, etc. from hacking.
Also Plesk has extension catalog with security extensions to secure your server and its services more.
WordPress toolkit, which is available in Plesk, allows you to secure WordPress installations.
Let's Encrypt extension will allow you to install free SSL Certificates on your websites.
With the help of Package Update Manager Plesk makes sure that all latest OS updates are installed.
Try Plesk for free and check it on your own.
I'm sure you were hoping to hear more than just from people that work for the companies involved, but I can similarly answer for cPanel.
cPanel is incredibly secure out of the box, and comes with the backing of a massive community of plugin developers and integrators, but we also allow administrators to make their own decisions about their configuration. The drawback for that is that some administrators make their server less secure, without fully understanding the consequences.
If you have any questions at all about cPanel, please do let me know, or you can try it for free. Any new cPanel server that's built is automatically issued a trial license, so you can try it for free for 15 days.
Both cPanel and Plesk have their pro(s) and con(s). While I like cPanel more (probably because I had to chance to use it more) there are some really nice default features in Plesk that make it, let's say, more attractive. One of them would be installing nginx and being able to run it as a standalone server for specific sites and not as a reverse proxy for apache. Same behaviour can be achieved on cPanel servers with nginxcp plugin (which is not free but the price is decent $5/month).
Both cPanel and plesk have mod_security, firewalls and a ton of other features. If you ask me, cPanel is more user friendly for the regular user while Plesk seems to be a little bit complicated sometimes. Another big difference will be that cPanel can be only installed on CentOS systems while Plesk can be installed on CentOS, Debian etc. If you ask me I was preferring cPanel since it was running really smooth with CloudLinux and configuring it properly resulted in a really secure server. As far as I know CloudLinux works on Plesk too now so...
It's really hard to say which one of them is more secure. It all depends on how you configure them both. I would say to try them both (both offer free trial licenses for a limited amount of time: cPanel 15 days, Plesk 30 days if I'm not wrong) and see which one you like best.
Oh, last but not least, cPanel staff provides really high tech support (which is included with the license). I think they are way ahead of Plesk at providing support for their customers (at least from my experience).
I have already set up the HTTPS/SSL for my site on Amazon EC2. I checked it on several different SSL checker sites online, and I think it is set up properly. I'm using Django web framework, so do I need to follow anything in this spec to make sure I didn't miss anything?
https://docs.djangoproject.com/en/1.6/topics/security/#ssl-https
Django 1.7 and later have a bit better security and patch most of the possible X-Frames related exploits.
However I personally like to set the security in my NGINX config. A great guide for that is https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
And for SSL security in general, I recommend https://ssllabs.com
I'd like to implement a "Website under maintenance" page on a Sitecore powered website, where CMS editors can switch on/off the maintenance mode. During the maintenance mode all requests are forwarded to the maintenance page. A solution with app_offline.htm in website root would be ok, however the problem is that website is load-balanced.
What is the best practice to implement what I want on load balanced websites, and specifically for Sitecore CMS?
In any load-balanced environment you should avoid having this app_offline.html page as a part of your website. Please remember that if you are deploying new code the site may encounter some exceptions or config problems and even your plain html maintenance page won't be accessible.
You should rather think about having a app_offline page redirection set directly on the load balancer. In this case you need to set it only in one place and you don't need to worry about your site being unavailable. Of course you will not be able to manage this page from Sitecore in this case.
And the best solution in the load-balanced environment is not to have app_offline.html page at all. When you're doing any maintenance, you're performing it on one (of half) of the load-balanced servers at the time. The other servers should serve the responses to users' request in the meantime. And when you're ready with maintenance on one server, you put it back to load-balancer and start maintenance of the other servers (taking them out from the load-balancer before making any updates on them).
You can create httpmodule that reads some setting that CMS editor can turn on/off inside sitecore, if the setting is turned off, you redirct to your custom maintainace page.
Make sure that you dont redirect any http request coming from sitecore desktop, by checking logged in user domain.
I used this article when I first started working with a CM to CD load balanced environment: http://csuwannarat.wordpress.com/2011/12/20/sitecore-deployment-process-in-load-balanced-production-environment/
Hopefully this helps you too.
I'm looking for a "best practice" kind of answer with regard to Facebook Apps and staging/production environment. Instinctively, I've provided each environment with its own Facebook App, complete with its own ID and secret. It appears (here, here and through extensive Googling) that it's simply not possible to share OG configuration across apps, so I've been copying application settings across environments (icon, requested permissions and texts, etc). It's been a pain and ugly, but I've lived with it.
Alas, with the introduction of opengraph actions, this isn't funny anymore - much more to copy and everything has to go through the approval process. Is there no better way to do this? A coworker suggested we simply share the same app across all environments, but I'm apprehensive about that - it means we'll have to share production secrets with the staging environment (I'm not even talking about localhost development environments), and that we'll need to route Facebook traffic to the correct environment somehow (because one Facebook app means one Page Tab URL).
There has to be a better way... no?
I see there's a feature called "Test Apps" now that seems to fit the bill:
https://developers.facebook.com/docs/apps/test-apps/
Test Apps are like regular apps in that they have their own App ID and independent settings, but they offer a number of advantages for use during pre-production:
...
When creating test apps - the settings are copied from your production app so its simple to spinup new apps which mirror your production app's settings
It's working for me so far.
I asked practically the same question at a breakout session at F8 last year. Creating multiple apps is the best practice. They are aware that it is an inconvenience, especially with the open graph objects and actions. They did however mention the possibility of setting up apps in the future via the API, but I am still waiting for this. Until then, it's a manual process.
I've been using webfaction for all my django needs for the last couple of years but have had a high traffic site fall in my lap that dreamhost are probably better suited to handling.
To set up and experiment with a site with webfaction there are your [user].webfactional.com accounts. Which is sweet.
Equivalently Dreamhost also offers [name].dreamhosters.com
Yet this doesn't seem to work with my database and this doesn't seem to be playing nice with setting up django or passenger_wsgi.
So I'm wondering if I'm interpreting the documentation correctly to suggest that in order to make a site that depends on passenger it needs to be running from an active domain. The documentation is really implicit, I'm baffled.
Has anyone set up a testing/sand box environment for django using dreamhost, or know how to?
I've setup a Django site on Dreamhost on a dreamhosters subdomain before so I can tell you for sure it is possible.
I'm not sure what you mean by active domain but I know that you have to set something to the effect of "Allow Passenger for this domain" under "Manage Domains" > "Web Options". Your passenger_wsgi.py file should be placed in ~/[name].dreamhosters.com/ and needs to include all the necessary project/application paths (including the Django source) as well as set the DJANGO_SETTINGS_MODULE environment variable as described in the Dreamhost wiki. As far as database connections there is nothing special that you have to do in the settings when using Passenger.
On a somewhat related note, I would have to question your statement
...have had a high traffic site fall in
my lap that dreamhost are probably
better suited to handling.
given that Webfaction is by far the top rated host for Django and Dreamhost the absolute worst according to DjangoFriendly. It's possible that many of the reviews were written when Dreamhost was only supporting FastCGI and things might have improved when using Passenger but I still don't think it beats Webfaction's options of FastCGI, mod_python, and mod_wsgi (which is the recommended deployment setup according to the Django docs http://docs.djangoproject.com/en/1.1/howto/deployment/modwsgi/).