Only standard and mature cryptographic algorithms, operation modes, key lengths ciphers, and implementations MUST be used.
Transmission of sensitive data SHOULD generally only be possible via TLS/HTTPS.
In cases where access requires HTTPS, requests via HTTP MUST be redirected to HTTPS. This SHOULD be implemented with a permanent redirection (HTTP 301).
HTTPS servers MUST only support current secure ciphers and protocols. Insecure ones (e.g. SSLv2 and RC4 cipher) MUST be deactivated.
Confidential data MUST only be sent within the HTTP Request Body (e.g. via HTTP POST) but not within URLs (exception: object IDs).
Transmission on untrusted channels (e.g. the Internet) MUST
Encryption at Rest
Confidential data MUST be encrypted before stored on the client-side or on external cloud environments.
User passwords MUST be persisted with suitable methods (see section 8.6 User Passwords).
External HTTPS connections MUST use valid X.509 certificates issued by a trusted authority (CA).
X.509 certificates MUST use RSA with >= 2048 bit or ECC with >= 256 bit.
External customer applications (UIs) SHOULD use EV certificates.