top of page
Search

Securing your AI Projects with AI

ree

I wanted to give a thorough (and dangerous, so beware/backup your data/do this on a development server NOT your live server and do so at your own risk!) AI prompt to help secure your web server. One of the most important comments about newcomers to software development enabled by AI to create new websites and applications is their lack of both coding and security knowledge will cause many of these inventions to be exposed and in turn, their users personal data and much more. It IS a valid point, and you want to act on it. NOTHING is more important than understanding HOW this works, so use this as an education, not just a prompt that solves all your woes. It won't. Nothing is 100% bulletproof BUT this prompt will dig deep to secure your project online, if you are running on your own virtual private server or similar hosting that isn't on a policed service (you have root access, basically). You should re-run the script straight after to confirm the defences are bolstered and run it after major updates.


It will burn several tokens! But security deserves investment. Here is the example prompt: COMPREHENSIVE WEB SERVER SECURITY AUDIT & LOCKDOWN REQUEST

I need you to perform a complete security audit and lockdown of my web server to protect against hackers and unauthorized access. I'm not very experienced with server security, so please be thorough and explain everything.

CRITICAL SECURITY TASKS TO PERFORM:

1. FILE SYSTEM SECURITY:

  • Audit all file and directory permissions in the project root

  • Identify any world-readable files that contain sensitive information

  • Set restrictive permissions (700/750 for directories, 600/640 for sensitive files)

  • Secure any documentation, configuration, log, database, or source code files

  • Check for any .env files, API keys, passwords, or credentials with weak permissions

2. WEB SERVER SECURITY (NGINX/APACHE):

  • Add deny rules to block access to sensitive directories like: docs/, logs/, src/, server/, config/, scripts/, node_modules/, .git/, backups/, database/, membership/, admin/, private/

  • Block access to sensitive file types: .md, .log, .env, .config, .json, .sql, .db, .backup, .bak, .old, .tmp, .pid, .sh, .py, .js (source), .ts, .yml, .yaml, .ini, .conf

  • Block access to all hidden files and directories (starting with .)

  • Add security headers for protection against XSS, clickjacking, MIME sniffing, etc.

  • Ensure only legitimate web assets (HTML, CSS, JS, images) in /assets/ or /static/ are accessible

3. APPLICATION SECURITY:

  • Review if the application accidentally serves sensitive directories via static file middleware

  • Check for any debug modes, verbose error messages, or development settings in production

  • Verify API endpoints don't expose sensitive information

  • Check for any admin panels or debugging interfaces that should be restricted

4. SYSTEM SECURITY:

  • Check what user the web server and application processes run as (should not be root)

  • Verify file ownership is correct and restrictive

  • Check for any world-writable files or directories

  • Review systemd services, cron jobs, or startup scripts for security issues

5. NETWORK SECURITY:

  • Verify HTTPS is properly configured with strong SSL/TLS settings

  • Check for any unnecessary open ports or services

  • Ensure firewall rules are appropriate

  • Test that sensitive endpoints return 404/403 instead of exposing information

TESTING REQUIREMENTS:

After implementing security measures, test that:

  • Main website functionality works perfectly (don't break anything!)

  • All sensitive directories return 404 errors when accessed via web

  • API endpoints still function correctly

  • Static assets (CSS, JS, images) still load properly

  • SSL/HTTPS works correctly

BACKUP & SAFETY:

  • Create backups of all configuration files before making changes

  • Test each change incrementally

  • Provide rollback instructions if something goes wrong

  • Verify website functionality after each security change

DOCUMENTATION:

  • Explain what each security measure does and why it's important

  • Provide a summary of what was secured and what threats were mitigated

  • Give me a list of the most critical security improvements made

  • Include commands to verify the security measures are working

PRIORITY ORDER:

  1. Most critical: Block access to sensitive files/directories that could expose credentials, source code, or internal documentation

  2. High: Fix file permissions on sensitive files

  3. Medium: Add comprehensive security headers

  4. Low: Additional hardening measures

EXAMPLE SENSITIVE PATHS TO SECURE:

Test and block access to paths like:

  • /docs/, /.env, /config/, /logs/, /backups/

  • /admin/, /server/, /src/, /node_modules/, /.git/

  • /database/, /db/, /sql/, /membership/

  • Any files ending in .log, .md, .env, .config, .sql, .db, .backup


Please be thorough but safe - I need maximum security without breaking my website functionality. Explain everything clearly since I'm not a security expert.

 
 
 

Comments

bottom of page