Security considerations when developing and managing your website (ITSAP.60.005) – Canadian Centre for Cyber Security
Summary
The Canadian Centre for Cyber Security’s ITSAP.60.005 (July 2025) summarises common threats to websites and provides practical security and privacy measures to develop and manage web services securely. It covers injection attacks (SQL injection, XSS), cross-site request forgery (CSRF), denial-of-service (DoS/DDoS), adversary-in-the-middle (AitM) attacks, malware, credential stuffing, brute-force attacks and the emerging impact of artificial intelligence on both attacks and defences.
Key Points
- Websites are prime targets: compromises can damage operations, revenue and reputation.
- Common threats include injection (SQLi, XSS), CSRF, DoS/DDoS, AitM, malware, credential stuffing and brute-force attacks.
- AI amplifies both attack speed and defensive capabilities; stay informed on AI risks and mitigations.
- Design a secure web architecture: segregate components, add redundancy and enforce HTTPS/TLS across services.
- Use strong authentication and multi-factor authentication (MFA); store passwords with hashing and encryption and lock accounts after suspicious activity.
- Apply the principle of least privilege and define access control across application, data and network layers.
- Validate all inputs early and rigorously to prevent injection and other input-based attacks.
- Review and harden default configurations, disable directory browsing, remove unnecessary files and deactivate credential caching.
- Manage sessions securely: randomise identifiers, set appropriate expiry, use secure cookies and limit retention of session data.
- Operate securely: continuous monitoring, patch management, include a security.txt for vulnerability reporting and promote security awareness.
Content summary
The guidance begins by listing the most common website threats and explains how each operates and what it targets. It highlights how AI can speed up attack development and data extraction while noting AI can also strengthen defences. The core of the document provides actionable controls for each stage of a website lifecycle: design (segregation, redundancy), transport (HTTPS/TLS), authentication (strong passwords, MFA, hashing/encryption), authorisation (least privilege, layered access controls), input validation (treat all input as untrusted), configuration hardening (close unused ports, remove source/backup files), session management (randomised IDs, secure cookies, expiry) and operational practices (monitoring, patching, security.txt and user awareness).
The guidance also stresses responsibility when using third-party service providers: organisations remain legally responsible for data confidentiality and integrity and should verify provider security practices and clearly define roles and responsibilities.
Context and relevance
This is practical, vendor-agnostic guidance aimed at organisations of all sizes that run websites or use web services. It aligns with wider trends emphasising supply chain security, secure-by-design development, and the need to adapt controls in response to AI-driven threats. For anyone responsible for a corporate, ecommerce or public-facing site, these controls are foundational to reducing breach risk and protecting customer data.
Why should I read this?
Quick and useful — this is a straight-to-the-point checklist of the basics that too many sites still get wrong. If you manage a website, or outsource one, reading this will help you spot glaring holes, ask the right questions of suppliers and implement concrete fixes that reduce real-world risk. No jargon-heavy theory — just the essentials you can act on.
Author style
Punchy: concise, action-focused and written so you can use it as a working checklist. If your website handles customer data, payments or vendor portals, treat this as required reading.
