I invite people to put in their suggestions and comments for the same.
#1. Does the UI disclose information that might compromise the security of the system?
- Don’t provide information in error messages that might compromise the security of the system.
- Don’t reveal data store locations and URL’s when they are not necessary
- Mask sensitive information such as SQL Server name, User ID, Password
- Don’t return errors with cross-site scripts
- Don’t allow links to open executables
- Don’t provide error information with clickable links. Convert links to plain text to encourage these to be scrutinized prior to being launched
- Ensure that logs are correctly stripped of sensitive information