The following are some general guidelines for securing your web site.
Use a commercial firewall between your ISP and your Web server.
Use switched Ethernet to limit the amount of traffic a compromised server can detect. Use additional firewalls between Web server machines and highly sensitive internal servers running the database and enterprise applications.
Remove unnecessary network services such as RPC, Finger, and telnet from your server.
Always validate all input from Web forms and output from your applications. Be sure to validate encodings, long input strings and input that contains non-printable characters, HTML tags, or javascript tags.
Encrypt the contents of cookies when it is relevant.
Check often for security patches for all your system and application software, and install them as soon as possible. Only accept patches from Oracle or your Oracle support representative.
When it is relevant, use an intrusion detection package to monitor for defaced Web pages, viruses, and presence of rootkits. If possible, mount system executables and Web content on read-only file systems.
Consider using Pen testing or other relevant security testing on your application. Consider configuring web security using the appropriate custom mod_security rules to protect your application. For more information on mod_security, see Configuring the mod_security Module and Using mod_security.
Remove unneeded content from the httpd.conf file.See Removing Access to Unneeded Content.
Take precautions to protect your web pages from clickjacking attempts. There is a lot of helpful information available on the internet. For more information on clickjacking, see the Security Best Practices section in "Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products (Doc ID 1074055.1)".