- all pages within any given website must be available under HTTPS
- the secure connection to the website must be enforced by automatically redirecting web browsers from the http:// to the https:// version of the website
- special care should be applied to cover and verify the secured connection especially on transactional pages containing data in transit, for example contact forms
- the TLS/SSL encryption level of the secure connection must be TLS 1.1 or higher.
Further recommended best good practice safeguards include:
- couple the use of TLS with a secure management of the relevant cryptographic keys
- oblige the web client to use HTTPS through HTTP Strict Transport Security
- mitigate the consequences of a compromise of cryptographic keys through Forward Secrecy.