Goal
- Prevent sensitive data from being made public or stored Unencrypted at any stage in accessing a page (ISP, proxy, web Server, browser history, third-party services, etc.).
- Allow users to enter sensitive data, safe in the knowledge that They will be protected and kept confidential.
Implementation
Submit sensitive form data by the POST
method. Do not include sensitive data in the link URL.
Control
During operations on the website such as logging in to an account, entering personal data, purchasing, etc., check that none of the data entered appears unencrypted in the URL via the following three checks:
- Check that identification does not lead to a page with typelogin.php?user=something@password=123;
- Also check that the pages do not contain links containing this type of information. In fact a link of this type can be made: http://user:pass@example.com/ or ftp://user:pass@example.com/. This is obviously very strongly discouraged and should be banned.
- Also check that the session id is not passed in the URL, resulting in URLs like page.php?SESSIONID=123abc456def. Anyone retrieving this identifier, including by reading over the user's shoulder, would have access to their account.
It is important to carry out these tests by activating and deactivating the cookies of the browser, certain tools (frameworks, CMS) having the annoying habit of transmitting the information unencrypted in the second case.
Discover Opquast training and certification
The objective of these rules and the Opquast community mission is ‘making the web better’ for your customers and for everyone! Opquast rules cover the key major areas of risk that can negatively affect website users such as privacy, ecodesign, accessibility and security.
Opquast training has already allowed over 19,000 web professionals to have their skills certified. Train your teams, contact us
We offer a 1 hour free discovery module.