General web and app security

By default, web servers should only listen on local network, not the internet
All unused services should be disabled
There are Linux security tools that can assist in locking down webservers and devices:
- SELinux
- AppArmor
- SMACK, Tomoyo Linux, grsecurity, RSBAC, etc.

By default, web servers should only listen on local network, not the internet