How do these sites provide bitcoin security? What are the characteristics of the servers they use? They can take security measures in a software sense. But a person working in the hosting company can play bitcoins.
What protection do these sites use for security?
I don't have private keys on the webserver.
Some people use deterministic keys on the server but I don't even do that.
I generate keys on a non-connected PC using my own algorithm involving a seed and a salt, sign the addresses with libsodium, and then upload to a database the server fetches from.
The server then verifies the signature (so it knows a hacker didn't inject the address, never happened to me but...) before offering it as a payment address.
sk = binascii.unhexlify(hexsk)
sig = pysodium.crypto_sign_detached(m, sk)
return binascii.hexlify(sig)
(hexsk is hex signing key, m is message - which in this case is the base58 address, I can there verify on the web app with the libsodium php PECL module)