Preventing flaws in cryptographic implementations
For HTTPS communication, disable all deprecated protocols, such as any version of SSL and even TLS 1.0 and 1.1. The last two need to be taken into consideration for the target users of the application, as TLS 1.2 may not be fully supported by older browsers or systems. Also, disabling weak encryption algorithms, such as DES and MD5 hashing, and modes, such as ECB, must be considered.
Furthermore, the responses of applications must include the secure flag in cookies and the HTTP Strict-Transport-Security (HSTS) header to prevent SSL Strip attacks.
More information about TLS configuration can be found at https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet.
Passwords must never be stored in cleartext, and it's inadvisable to use encryption algorithms to protect them. Rather, a one-way, salted hash function should be used. PBKDF2, bcrypt, and SHA-512 are the recommended alternatives. Use of MD5 is discouraged, as modern GPUs can...