Background
Two things: data sent over the internet, and data stored on disk. Classic failures: HTTPS not enforced everywhere, passwords stored as plain text, sensitive data sat unencrypted in a database.
Questions to ask yourself
- Does every URL on our site redirect to HTTPS?
- How does our system store passwords? (Right answer: hashed with bcrypt / argon2.)
- Are we storing data we don't need?
- Where else is sensitive data sitting unencrypted?
What you can do today
Three free checks
The basics are free to verify yourself.
- 01Test your site's TLS with SSL Labs. Aim for an A grade.
- 02Ask your developer: “Show me how passwords are stored.” If they can decrypt them, the design is wrong.
- 03Don't keep what you don't need. Delete old customer records on a schedule.