I searched all over the Internet, trying to find a security guide for a truly secure site, such as an online banking site, and did not find it.
I am interested to know what practices you use in the following areas:
- Communication : definitely using SSL ... any additional tips to protect against man-in-the-middle attacks.
- Authentication : username + password + captcha + time limits + forced changes.
- Between pages: is there such a thing?
- XSS and XSRF Prevention: Already in the Platform.
- Encrypt sensitive data on client and server: how exactly? should there be sensitive data on the client?
- Fine-tuning authorization : show / hide + execute commands + permissions.
- An audit ? what? and how it differs from registration.
- Page-level security: prevent page content from being manipulated (do we really need this?)
And how to detect penetration attempts? Monitoring IP addresses, blocking certain accounts ...? Is there a way to test or simulate threats?
source
share