The servers are generally quite secure, we keep up to date on security patches, and they are clean, ie: they only run the services that are required for IIS and only contain customer websites. Non-essential services are shut off and we lock down the filesystem permissions.
On your web site, you should mostly worry about any data that is entered by the public. Usually external data arrives in the form of:
Forms and querystring values should be checked for length and valid characters. Generally disallow anything but the printable ASCII set and CR and LF characters where appropriate. Numeric data should be subject to bounds checking for both minimum and maximum values.
File uploads should be checked for size and you should never use the supplied filename from the client browser. Your script should enforce the maximum file size and should generate a file name (including extension). You should also use a predetermined path to the writable folder.
Watch for arrays that can grow dynamically based on user input. Put a maximum size on them.
Keep your databases in the /database folder so no one can download them. FP and InterDev usually set these permissions if they live elsewhere in the directory tree, but if you have any not in /database, double check with a browser and try a URL like:
Where the URL is the exact path to your .MDB file. If the browser downloads your MDB to your workstation, you are in trouble. If this is the case, let us know and we will fix the permissions so ODBC works, but anonymous HTTP downloads do not.