Sayt himoyasi β bir martalik ish emas, jarayon. 10 ta majburiy qadam:
1. HTTPS hamma joyda
Let's Encrypt bepul. .htaccess'da 301 redirect http β https. HSTS header: Strict-Transport-Security: max-age=31536000.
2. Kuchli parollar
16+ belgi, password manager (Bitwarden bepul). Bir xil parol turli saytlarda β ASLO.
3. 2FA admin uchun
Google Authenticator yoki YubiKey. Telegram bot ham mumkin.
4. Yangilab turish
OS, PHP, web server, framework, plugin'lar. Auto-update yoq. CVE monitor β yangi xavf chiqsa darhol xabar.
5. Firewall
Server: ufw, iptables. CDN: Cloudflare WAF. Application: ModSecurity.
6. SQL injection himoya
Prepared statements (PDO). String concatenation YOPMA. ORM ishlatish (Eloquent, Doctrine).
7. XSS himoya
Output escape β htmlspecialchars. CSP header. HttpOnly cookies. SameSite=Strict.
8. CSRF tokens
Har formada hidden CSRF token. SameSite cookies. Laravel @csrf, Symfony FormType.
9. Rate limiting
Login: 5 attempts/minute. API: 60 req/minute. Cloudflare yoki nginx limit_req.
10. Backup va monitoring
Kunlik backup, S3/external. Log monitoring β Sentry, NewRelic. Anomaly detection β odatdan tashqari trafik xabar bersin.
Audit
1 yilda 1 marta professional pentest. OWASP ZAP, Burp Suite β open source skanerlar.
Xodimlar β eng zaif zveno
Phishing email β eng tarqalgan vektor. Xodimlarga security training. "Bu email haqiqatdan menimi?" β har doim tekshirish.
Incident response plan
Hujum bo'lsa β kim qiladi nima? Backup qachon va qaerda? Foydalanuvchilarga qanday xabar? Yozma plan tayyor bo'lsin.
Sayt.uz amaliyot
HTTPS, HSTS, CSP, 2FA, Cloudflare WAF, fail2ban, kunlik backup, audit log. 2024'da hujum harakatlari bo'ldi, lekin biron buzilish yo'q.