Security of our user sessions and the security of data is our number 1 priority.
The following rules should always be applied:
Sensitive data to be protected in transit and at rest with industry standard cryptography
All websites to operate only using HTTPS (An automatic redirection from http to https is acceptable) supporting TLS 1.2 and TLS 1.3, preferring TLS 1.3 as faster and stronger.
All versions of SSL, TLS1.0 and TLS1.1 are now considered insecure
Assurances to be provided that sessions cannot be hijacked
Session identifiers are not sequential or guessable
Sessions have automatic expiry after non-use and maximum time to live after which cannot be used to assure identity of users.
