Data Security

For the network security of the application we have enforced the following standards.

  1. Web Application Firewall (WAF) Configured at Domain level to prevent access to from countries like US, China, Hongkong, Pakistan , Russian Federation Etc

  2. Open Web Application Security Project (OWASP) core rule set based WAF rules implemented to provide protection against common attack categories, including Structured Query Language (SQL) Injection and Cross-Site Scripting.

  3. Customised WAF rules created to prevent common attacks and Bot Access

  4. Autonomous system number (ASN) based lockdown in WAF against common threat matrix.

  5. Sanity Check Based Block and Rate Limiting Enabled

  6. Network level Port Blocking allowing only port 80 and 443 from internet in the entire network

  7. IP blacklist and lockdown based on Threat Score ( Score Greater than 8 is blocked) based on IP reputation.

  8. Customised Content Security policy (CSP) Header implemented to prevent common Clickjacking and other attacks .

  9. HTTP Strict Transport Security (HSTS) preloaded domain wide to enforce Hypertext Transfer Protocol Secure (HTTPS) only traffic with a Max Age of 1 year

  10. Origin to domain, domain to domain, and domain to User traffic encrypted via Transport Layer Security 1.2 (tls1.2) and above

  11. Content Security Policy (CSP) and Certificate Transparency CT violations monitoring done to update threat matrix

  12. The Domain Name System Security Extensions (DNSSEC) enabled to prevent domain takeovers .(DNSSEC protects against forged domain name system (DNS) answers. DNSSEC protected zones are cryptographically signed to ensure the DNS records received are identical to the DNS records published by the domain owner.)

  13. Speed up of page load speed by the Implementation of Brotli Compression

  14. HTTP/2 and HTTP/3(Quick User Datagram Protocol Internet Connections) enabled for faster network speeds

  15. Automatic Branch based Continuous integration (CI) and continuous delivery (CD) to prevent unauthorised access.

  16. New pods are created before old pods with old code is terminated.

  17. Database backups (Snapshots) are created daily at scheduled intervals and stored with Key Management Service (KMS) keys securely inside Cloud Infrastructure without external Access.

  18. All server nodes and Volumes and database Instances are Encrypted with KMS based Cryptographic Keys.

  19. Database Connectivity allowed only using internal Private Network and allowed for the backend host only.

  20. Virtual Private Network(VPN) + Jump Host( Bastion Host) Based Server Maintenance (Cluster Management Shell ) to enhance security.

Reverse Proxying all network traffic to mask origin IP to enhance security. Apart from the above rules, additional measures could be added to enforce maximum security of data

Last updated