18. Static configuration checklist
At least a B+ rating on SSL Labs*
Reject extensions that you don’t want to accept
Reject known bad user agents
Reject specific known bad actors
Custom error pages that fit your application
Basic secure headers
36. Database checklist
Nothing uses the root user
Strong and securely stored production passwords
Separate users for runtime and migrations
Separate databases for production, staging, test, etc
Firewalls for everything but the systems that need access
Logs, logs, logs
Backups!!!