Page Comparison

...

1. Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.
2. Don't Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don't have can't don’t have can’t be stolen.
3. Ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using FIPS 140 validated cryptographic modules.
4. Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.
5. Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
6. Cryptography Storage Cheat Sheet

6.2 Providing Cryptographic Functionality

...

1.  Introduction
   1. Architectural Decision
2. Transport Layer Protection Cheat Sheet Providing Transport Layer Protection with SSL/TLS
   1. Benefits
   2. Basic Requirements
   3. SSL vs. TLS
   4. When to Use a FIPS 140-2 Validated Cryptomodule
   5. Secure Server Design
      1. 2.5.1 Rule - Use TLS for All Login Pages and All Authenticated Pages
      2. Use TLS on Any Networks (External and Internal) Transmitting Sensitive Data
      3. Do Not Provide Non-TLS Pages for Secure Content
      4. Do Not Mix TLS and Non-TLS Content
      5. Use "Secure" Cookie Flag
      6. Keep Sensitive Data Out of the URL
      7. Prevent Caching of Sensitive Data
      8. Use HTTP Strict Transport Security
      9. Use Public Key Pinning
   6. Server Certificate
      1. Use Strong Keys & Protect Them
      2. Use a Certificate That Supports Required Domain Names
      3. Use Fully Qualified Names in Certificates
      4. Do Not Use Wildcard Certificates
      5. Do Not Use RFC 1918 Addresses in Certificates
      6. Use an Appropriate Certification Authority for the Application's User Base
      7. Always Provide All Needed Certificates
      8.  Be aware of and have a plan for the SHA-1 deprecation plan
   7. Server Protocol and Cipher Configuration
      1. Only Support Strong Protocols
      2. Prefer Ephemeral Key Exchanges
      3. Only Support Strong Cryptographic Ciphers
      4. Support TLS-PSK and TLS-SRP for Mutual Authentication
      5. Only Support Secure Renegotiations
      6. Disable Compression
   8. Test your overall TLS/SSL setup and your Certificate
   9. Client (Browser) Configuration
   10. Additional Controls
       1. Extended Validation Certificates
       2. Client-Side Certificates
       3. Certificate and Public Key Pinning
       4. Secure Internal Network Fallacy
3. Providing Transport Layer Protection for Back End and Other Connections
   1. Transport Layer Protection Cheat Sheet
   2. Protocol and Cipher Configuration for Back End and Other Connections
4. Tools

Learn More:

• OWASP Cryptographic Storage Cheat Sheet 
• OWASP Password Storage Cheat Sheet 
• OWASP Transport Layer Protection Cheat Sheet 
• OWASP Testing Guide: Chapter on SSL/TLS Testing 
• CWE Entry 310 on Cryptographic Issues 
• CWE Entry 312 onCleartextStorage of Sensitive Information
• CWE Entry 319 onCleartextTransmission of Sensitive Information
• CWE Entry 326 on Weak Encryption