Background
Two things: data sent over the internet, and data stored on disk. Classic failures: HTTPS not enforced everywhere, passwords stored as plain text, sensitive data sat unencrypted in a database.
Questions to ask yourself
- Does every URL on our site redirect to HTTPS?
- How does our system store passwords?
- Are we storing data we don't need?
- Where else is sensitive data sitting unencrypted?
For owners — questions to ask your developer
Questions to ask your developer
You can verify some of this yourself; the rest is about asking the right things.
- 01Verify yourself: Test your site at SSL Labs. Aim for an A grade. If it's lower, ask why.
- 02“Show me how passwords are stored. If you can decrypt them to compare on login, the design is wrong — they should be one-way hashed with bcrypt or argon2.”
- 03Decision: What sensitive data are we keeping that we don't actually need? Agree a retention period and a deletion schedule.