Drupal is a framework to develop good websites with many oportunities.
If we are using drupal in our software we need to know how to do right things together, in our style... Faircoop style. Always thinking in distribuited, free content and free software and change our system for the good of commons.
I'm proposing to check this kind of rules however we want but start here:
We need to understand the requirements of the project:
Information to offer.
Way to use, communication way, graphics...
Create a version control and issue tracker
Create a structure for file management inside using coherence, (e.g. if you upload a photo for the blog, create a folder in file management naming blog...)
HTST --> Better on .htaccess like on headers (Header always set Strict-Transport-Security "max-age=15568000")
File System --> Put on private path and private local server by Drupal
Put also a bit of Content Security Policy --> This is difficult because depend if we are using one script or another even a recomendation : Header always set Content-Security-Policy "default-src 'self' data: https: 'unsafe-inline' " (this is not completly secure, but is more restricted at least only script on https.)
Use check functions on output to prevent cross site scripting attacks
Use the database abstraction layer to avoid SQL injection attacks
Cache performance on drupal:
Caducate cache 1 day
compress cache page
join css files
join js files
Leverage browser caching.
Enable gzip compression.
Specify image dimensions.
Leverage breakpoints to download appropriate image sizes.