Let me try to gather some useful hints we could suggest in the past in one place. You are also welcomed to make your own points on the subject, as Michael suggested. Usually we would say that Gluu Server is not that much different from any other web service, thus the regular considerations apply.
You are right about the `setup.properties.last` file, in the past we even suggested to remove it post-install (after properly documenting all passwords stored in it). Though most of those passwords still can be gathered by studying different configuration files, assuming intruder can access file system and knows where to look for them, no need to make their life easier.
You also could review Apache's configuration in `/etc/httpd/conf.d/https_gluu.conf`, in particular SSL/TLS cipher suites allowed by it. We try to not limit the default setup too much, but depending on your requirements you may want to disable some of them if they are not secure enough. You also could consider uncommenting "Content-Security-Policy" and "X-Frame-Options" clauses there, but those haven't been proprly tested and defaults may need to be adjusted to be compatible with the current Gluu package.
Another thing you could consider is to set "dynamicRegistrationEnabled" to false at "Configuration -> JSON Configuration -> oxAuth", if you don't plan to use the feature, or OIDC altogether.
We also usually recommend to block access to oxTrust web UI from public networks. This can be achieved, for example, by limiting access to a specific ip address/network range only for corresponding "Location" directive in `/etc/httpd/conf.d/https_gluu.conf`:
ProxyPass http://localhost:8082/identity retry=5 connectiontimeout=5 timeout=15
Require ip 184.108.40.206
We'll get back to you when we'll come up with a more comprehensive list.