The most common answer to this question is about the protocol used to serve your pages: HTTP or HTTPS. And it’s always this: make sure your site is served over HTTPS rather than plain HTTP.
The truth, of course, is a little more complex. It’s certainly true that your website should be be served over HTTPS, which means that the full address should start with
https rather than plain
http (as in
https://our-example-website.com, rather than
http://our-example-website.com). However, proper site security also requires all of the following:
- Secure server and network: the computer that hosts your site and the network in which this computer resides should be carefully configured to be as secure as possible.
- Secure application: the software that drives your site should be as secure as possible out of the box, and further hardened as required.
- Secure practices: users should use strong passwords, never save passwords on public computers or share them with any other users, etc.
Ultimately, security is a multifaceted objective. Taken together, all of the above constitute the minimum basic requirements for a secure website. And since this is the minimum, you may well find that your particular situation requires additional security measures like firewalls, automated lockdown tools, tight access control lists, multifactor authentication, and the like.