Hi guys!

I'm new to Liferay and just setup the latest CE of Liferay.
Before we go "live" with our system I've implemented some security measures.

These I added to the portal-ext.properties file

# domain name of web server
web.server.host= ourdomain.tld
# http port of web server
web.server.http.port=8080
# https port of web server
web.server.https.port=8443
company.security.auth.requires.https=true
# allow only https traffic
main.servlet.https.required=true
# webserver protocol
web.server.protocol=https
# encryption algorithm
company.encryption.algorithm=AES
company.encryption.key.size=256
# password hashing
password.encryption.algorithm=SSHA

As you can see only https traffic is allowed. When people open ourdomain.tld:8080 they will be forwarded automatically to ourdomain.tld:8443.
I'm using a CA signed certificate with 2048bit length and that's working as well. I've created a keystore for that with the java keytool.

At this moment I'm implementing a password policy which forces a min. lenght of 6 characters, min 1 symbol, min 1 capital letter and an expiration of 14 weeks. Users can't use a previous password (memory of last 3 passwords).

I've created a mysql database which allows local connections only. Passwords are salted.

I think I've enforced some good security measures right now, but do you recommend any more? Tips are welcome!

Tnx in advance.

Greets
Will