- Prevent sensitive data from being made public or stored Unencrypted at any stage in accessing a page (ISP, proxy, web Server, browser history, third-party services, etc.).
- Allow users to enter sensitive data, safe in the knowledge that They will be protected and kept confidential.
Submit sensitive form data by the
method. Do not include sensitive data in the link URL.
During operations on the website such as logging in to an account, entering personal data, purchasing, etc., check that none of the data entered appears unencrypted in the URL via the following three checks:
- Check that identification does not lead to a page with typelogin.php?user=something@password=123;
- Also check that the pages do not contain links containing this type of information. In fact a link of this type can be made: http://user:firstname.lastname@example.org/ or ftp://user:email@example.com/. This is obviously very strongly discouraged and should be banned.
- Also check that the session id is not passed in the URL, resulting in URLs like page.php?SESSIONID=123abc456def. Anyone retrieving this identifier, including by reading over the user's shoulder, would have access to their account.
It is important to carry out these tests by activating and deactivating the cookies of the browser, certain tools (frameworks, CMS) having the annoying habit of transmitting the information unencrypted in the second case.
Business application and benefits
The rules should be applied to your projects from the design phase through to post-implementation , and they should be understood by all professionals with web and customer experience (CX) responsibilities: from strategy to operations, marketers to project managers, and editorial to technical staff. The benefits of using this ruleset are numerous, including improving customer satisfaction, web performance, and e-commerce, and expanding your client base, while also decreasing your errors and costs.
The objective of these rules and the Opquast community mission is ‘making the web better’ for your customers and for everyone! Opquast rules cover the key major areas of risk that can negatively affect website users such as privacy, ecodesign, accessibility and security.