Security checklist - designing a website

This is a design checklist – facts you should consider before you begin developing your website.

Security requirements



I know how critical security will be for the website (whether it is a blog, corporate website, e-shop, bank application, etc.).

I know if my website will need any special certifications (PCI, Safe Harbor, etc.).

I know which special requirements will be imposed on the website (custom authentication, premium sections, various types of administrators, etc.).

I have an idea about the number of users accessing the system, which roles the users will be grouped under, which sections of the website will be accessible only to authenticated users, and so on.

I know how large the scope of planned custom development will be.

I know if security issues will be addressed during the development phase (possibly with threat modeling) or after the website has been implemented.




I know what environment I will deploy my website to (private server, web hosting or cloud).

I know the security restrictions of the live environment.

I know what settings I will have access to in the live environment (which IIS settings).




I have mapped my security requirements to the Kentico system (for example, if you want to apply a password policy, then you know whether the default Kentico functionality suits your purposes).

I am familiar with all Kentico system protections and I know how to utilize them.

I know which applications and services my website will need and which I can uninstall or disable.

I know how to use the Kentico API securely.

I have designed all custom authorization and authentication protections and I know how to implement them in Kentico.