Documentation: Using Backdrop - a new "Securing your site" page

[yorkshire-pudding]

I think there is scope for a page aimed at site-builders that draws together the multiple different ways of securing sites. Sometimes I only find out about modules because they come up searching for something else. I'm open to suggestions but I wonder about an approach like:

Security threat

• what the threat is
• when this would be a threat to your site (i.e. particular functions open to wider world)
• when this is not a threat to your site

Mitigations

• modules that can help
• configurations that can help

Possible threats to include

1. Spam (contact forms, comments, webforms, exposed node creation forms)
2. Requests coming from other domains (trusted_host_pattern setting)
3. Site displayed in iFrames (and what to do if you want to allow particular domains to do this)
4. Brute force attacks
5. users setting weak passwords
6. DDOS
7. inappropriate content added by genuine users in comments
8. sites not using https
9. permissive roles accidentally given to anonymous or authenticated users

I'd be happy to pull information together. Any thoughts?

[bugfolder]

I'm always a fan of "more documentation", so I'd support this. Care to draft up a page? (Docs pages support HTML and Markdown.)

A question that somewhat affects what you say (at least in the intro) is where it should go in the menu block. Seems like the "Getting started" section has the high-level topics where this fits (I'd suggest following "Hosting/deploying"). Secondarily, it could go in the User guide as a new (last) item.