Community-developed, open source information security hardening guides. The initial set of HTH guides are focused on hardenining cloud services, with an emphasis on integration security and supply chain attack prevention.
Third-party risk management in InfoSec is fundamentally broken.
In August 2025, the Salesloft/Drift supply chain attack compromised 700+ organizations including Cloudflare, Palo Alto Networks, and Zscaler. Three months later, Gainsight was breached the same way, affecting 200+ more organizations including F5, GitLab, and CrowdStrike.
Victims had conducted vendor security assessments. They had reviewed SOC 2 reports. They still got breached.
What worked? Organizations like Okta that had configured their own Salesforce instances to restrict API access via IP allowlisting. When attackers used stolen OAuth tokens, Okta's requests were blocked because they originated from IPs Okta hadn't allowlisted.
This is defense-in-depth done right: First-party controls you configure to limit damage when third-party vendors get compromised.
Like CIS Benchmarks, but free, vendor-neutral, and focused on integration controls.
- Salesforce, Microsoft 365, GitHub, Google Workspace, Slack, Okta, and more
- Covers authentication, authorization, API security, data protection
- Both ClickOps (GUI) and Code (IaC/API) implementations
Within each vendor guide, we emphasize how to configure that platform to restrict third-party integrations.
Example: Salesforce Hardening Guide includes controls for IP-allowlisting Gainsight, Drift, and HubSpot.
This integration security focus doesn't exist in CIS Benchmarks or vendor documentation.
Real-world attacks (Drift, Gainsight, CircleCI, Okta) mapped to specific preventive controls that would have blocked or limited the attack.
Scenario 1: You use Salesforce + Gainsight
# Option 1: Browse guides online
Visit: https://how-to-harden.dev
Search for: Salesforce guide
Navigate to: IP Allowlisting controls section
# Option 2: View guides locally
git clone https://github.com/yourproject/how-to-harden
cd how-to-harden/docs/_guides
# Read the relevant guide (e.g., salesforce.md)
# Follow the ClickOps or automation instructions provided
# Estimated time: 10-15 minutes per controlScenario 2: Audit your current SaaS stack
# Coming soon: Stack analyzer
how-to-harden analyze --stack salesforce,gainsight,slack,github
# Outputs prioritized hardening recommendations for your specific stackWe need your expertise! See CONTRIBUTING.md for:
- How to propose new platform guides
- How to add defensive patterns
- Template structure and quality standards
Priority areas needing contribution:
- Microsoft 365 + third-party app hardening
- GitHub Actions supply chain security
- Google Workspace default-sharing reduction
- Slack OAuth app governance
how-to-harden/
├── docs/ # Jekyll documentation site
│ ├── _config.yml # Jekyll configuration
│ ├── Gemfile # Ruby dependencies
│ ├── CNAME # Custom domain configuration
│ ├── index.html # Main landing page
│ ├── about.md # About page
│ ├── _guides/ # Platform hardening guides (53 guides)
│ │ ├── salesforce.md
│ │ ├── github.md
│ │ ├── okta.md
│ │ ├── microsoft-365.md
│ │ └── ... (50+ more platform guides)
│ ├── _layouts/ # Jekyll layouts
│ │ ├── default.html
│ │ └── guide.html
│ ├── _includes/ # Reusable Jekyll components
│ │ ├── header.html
│ │ └── footer.html
│ └── assets/ # CSS, images, and other static assets
│ └── css/
├── templates/
│ └── vendor-guide-template.md # Template for new vendor guides
├── README.md # This file
├── PHILOSOPHY.md # Project scope and design principles
├── CONTRIBUTING.md # Contribution guidelines
└── LICENSE # MIT License
Structure Notes:
- Built with Jekyll for easy GitHub Pages deployment
- Each vendor/product has ONE comprehensive hardening guide in
docs/_guides/ - Guides organized by control categories (Auth, Network, OAuth, Data, Monitoring)
- Integration security controls (e.g., IP allowlisting specific vendors) are sections within guides
- All guides follow the template in
templates/vendor-guide-template.md
Existing resources are excellent for their domains, but leave critical gaps:
| Resource | Strength | Gap |
|---|---|---|
| CIS Benchmarks | Infrastructure hardening (AWS, Azure, Kubernetes) | SaaS platforms; third-party integration controls |
| howtorotate.com | Secret rotation procedures | Proactive hardening (not post-breach remediation) |
| Vendor documentation | Feature details | Security-first guidance; vendor-neutral |
| OWASP | Application security | SaaS-specific configurations |
We focus on the intersection nobody else covers: SaaS integration security, OAuth governance, and supply chain attack prevention through first-party controls.
See PHILOSOPHY.md for full vision and scope definition.
We emphasize how to configure platforms to restrict third-party integrations, not just platform hardening in isolation.
Typical guide: "Enable Salesforce IP allowlisting" (what, but not when or for whom) Our approach: "Restrict Gainsight's Salesforce access via IP allowlisting" (specific integration context, attack relevance)
We prioritize controls based on real attack patterns, not just audit requirements.
Compliance mappings (SOC 2, NIST 800-53, etc.) are included, but recommendations are ordered by:
- Recent supply chain attacks
- Common attack patterns
- Blast radius reduction
Every control includes:
- ClickOps (GUI/console) for IT admins without automation expertise
- Code (CLI/API/IaC) for security engineers who need repeatability
We maintain independence while accurately representing platform capabilities. We don't require vendor approval for content, but we welcome vendor engineer contributions.
Project Status: 🟡 Alpha (Initial development, seeking co-maintainers and contributors)
Coverage:
- ✅ 1 platform guide (Salesforce - in progress)
- ✅ 1 defensive pattern (IP allowlisting)
- ✅ 1 incident case study (Salesloft/Drift)
- 🚧 Automation tooling (scripts available, CLI tool planned)
Roadmap:
- Q1 2026: Foundation complete (governance docs, 2-3 platform guides, 3 defensive patterns)
- Q2 2026: Expand to 5 platforms, build CLI analyzer tool
- Q3-Q4 2026: CSPM/SSPM vendor partnerships, 10+ platforms, annual SaaS Security report
See GitHub Projects for detailed roadmap.
For Security Practitioners:
- 🔍 Review and validate existing guides (test in your environment, provide feedback)
- 📝 Document your stack (submit defensive patterns for integrations you use)
- 🐛 Report issues (outdated guidance, broken links, vendor product changes)
For Developers:
- 🛠️ Build automation (audit scripts, Terraform modules, CLI tool)
- 📊 Improve tooling (machine-readable data formats, API integrations)
For Researchers:
- 📑 Document incidents (map breaches to preventive controls)
- 🔬 Test controls (validate effectiveness in lab environments)
See CONTRIBUTING.md for detailed guidelines.
- GitHub Discussions: General Q&A, ideas, feedback
- GitHub Issues: Bug reports, feature requests, content proposals
- Slack/Discord: [Coming soon]
#how-to-hardenchannel for real-time collaboration
All contributors are recognized in:
- CONTRIBUTORS.md
- Individual guide changelogs
- Annual project reports
Current Contributors:
- [@your-github-handle] - Project founder, Salesforce guide lead
This project is licensed under the MIT License - see LICENSE for full text.
You are free to use, modify, and distribute this work for any purpose.
Q: How is this different from CIS Benchmarks? A: CIS focuses on infrastructure (AWS, Azure, Kubernetes). We focus on SaaS platforms and cross-platform integration security. CIS also requires paid membership for automation-friendly formats; we're free and open source.
Q: I found outdated information. How do I report it?
A: Open an issue with tag content-outdated and include the guide URL, what's wrong, and corrected information (with vendor documentation link).
Q: Can I contribute a guide for a platform not yet covered? A: Yes! Check CONTRIBUTING.md for platform selection criteria and use our recommendation template.
Q: My company wants to sponsor this project. How? A: Email [maintainer contact] to discuss. We're exploring foundation affiliation (OWASP, CSA, Linux Foundation) for transparent governance.
Q: Do you provide professional services to implement these controls? A: No, this is a community project. Some contributors may offer consulting independently—check their GitHub profiles.
Inspired by:
- howtorotate.com by Truffle Security - Elegant simplicity, tight tool integration
- CIS Benchmarks - Structured recommendation format, multi-profile approach
- MITRE ATT&CK - Relational knowledge framework, real-world attack grounding
- OWASP Projects - Community-driven security resources, tiered maturity model
Special thanks to Okta's security team for sharing their Salesloft incident response publicly, demonstrating the effectiveness of IP allowlisting and inspiring this project's focus on first-party controls.
If you discover a security vulnerability in our automation scripts or recommendations that could actively harm users, please email [security contact] instead of opening a public issue.
For general content corrections or improvements, use GitHub Issues.
Built with ❤️ by security practitioners who are tired of third-party risk questionnaires that don't actually reduce risk.