FortWatch

5 Security Quick Wins You Can Implement This Week

FortWatch

FortWatch Team

5 Security Quick Wins You Can Implement This Week

Security improvements that don't require a committee

Large-scale security initiatives are important, but they take time — time during which your infrastructure remains exposed. The good news is that some of the most impactful security improvements are also the simplest. Here are five changes that most teams can implement within a single week, each delivering outsized risk reduction for minimal effort.

1. Add security headers to all web applications

Security headers are HTTP response headers that instruct browsers to enable built-in security features. They're free, they take minutes to configure, and they mitigate entire classes of attacks.

At minimum, add these headers to every web application:

  • Strict-Transport-Security (HSTS) — forces HTTPS, prevents downgrade attacks. Set to max-age=31536000; includeSubDomains.
  • X-Content-Type-Options: nosniff — prevents MIME-type sniffing attacks.
  • X-Frame-Options: DENY — prevents clickjacking by blocking framing.
  • Content-Security-Policy — controls which resources the browser can load. Start with a report-only policy to identify issues before enforcing.
  • Referrer-Policy: strict-origin-when-cross-origin — limits referrer information leakage.
  • Permissions-Policy — disables browser features you don't use (camera, microphone, geolocation).

In nginx, this is a single configuration block. In Express.js, use the helmet middleware. In most frameworks, security headers are a one-time configuration change.

2. Audit and harden your TLS configuration

TLS protects data in transit, but outdated configurations can undermine that protection. Many servers still support TLS 1.0 and 1.1, weak cipher suites, or have misconfigured certificate chains.

Quick fixes:

  • Disable TLS 1.0 and 1.1 — only allow TLS 1.2 and 1.3
  • Remove weak cipher suites (RC4, DES, export ciphers)
  • Ensure your certificate chain is complete (intermediate certificates included)
  • Enable OCSP stapling for faster certificate validation
  • Set up automated certificate renewal with Let's Encrypt or your CA

Test your configuration with tools like SSL Labs. Aim for an A+ rating — it's achievable with standard configuration changes.

3. Find and close exposed services

Run a port scan against your external IP ranges. You'll likely find services that shouldn't be publicly accessible:

  • Database ports (3306 for MySQL, 5432 for PostgreSQL, 27017 for MongoDB)
  • Admin interfaces (phpMyAdmin, Adminer, database management tools)
  • Development tools (debuggers, profilers, hot-reload servers)
  • Internal APIs that were accidentally exposed
  • SSH on non-standard ports (security through obscurity, but still discoverable)

For each exposed service, decide: does this need to be internet-facing? If not, firewall it. If yes, ensure it requires authentication and is running current software.

4. Implement rate limiting on authentication endpoints

Credential stuffing and brute-force attacks are among the most common attack vectors. If your login, registration, and password reset endpoints don't have rate limiting, you're inviting these attacks.

Implementation options:

  • Nginx — use limit_req_zone and limit_req directives
  • Express.js — use express-rate-limit middleware
  • Cloudflare / CDN — configure rate limiting rules at the edge
  • Application level — track failed attempts per IP and per account

A reasonable starting point: 10 login attempts per IP per minute, with progressive backoff. Combine with account lockout after 5 failed attempts (with automatic unlock after 15 minutes).

5. Remove sensitive information from public responses

Check what your servers reveal to anyone who asks:

  • Server headers — does your response include Server: Apache/2.4.41 or X-Powered-By: Express? These help attackers fingerprint your stack. Remove or obscure them.
  • Error pages — do errors expose stack traces, file paths, or database queries? Configure production error handling to show generic messages.
  • robots.txt — does it list sensitive paths like /admin, /api/internal, or /backup? Attackers read robots.txt as a treasure map.
  • .git exposure — is your .git directory accessible via the web? This leaks your entire source code history.
  • Environment files — are .env, config.json, or similar files accessible? These often contain database credentials and API keys.

Each of these is a quick fix — a configuration change, a file permission update, or an nginx rule. Combined, they significantly reduce the information available to attackers during reconnaissance.

The compound effect

None of these changes individually makes your infrastructure impenetrable. But security is about layers, and each of these quick wins eliminates or mitigates common attack vectors. Implement all five, and you've meaningfully reduced your risk in less time than it takes to schedule a meeting about security strategy.

Want to know which of these quick wins apply to your infrastructure? FortWatch scans your external attack surface and identifies exactly these types of issues — security headers, TLS configuration, exposed services, and information disclosure — with clear remediation guidance for each finding.

Share this post
Get started

Ready to secure your infrastructure?

Try for free — scan your entire attack surface in under 5 minutes. No credit card required.

  • No credit card required

  • 14-Day free trial

Ready to secure your stack?

Secure your entire stack today

Start scanning in under 5 minutes. No credit card required. 14-day free trial included.

Start free trial