This has been answered elsewhere. The answer was https!
Not all woes are solved by https for making a site secure.
Development guide for secure web apps:
https://github.com/OWASP/DevGuideInfrastructure scanning:
https://www.qualys.com-Consider where you're hosted, look for a hosting provider that has met NIST, PCI, FINRA, HIPPA or other certifications. No one should be able to call them and social engineer access.
-Review security on your domain. Make sure no one can transfer your domain or call them up and social engineer a transfer or DNS controls.
-Your database should be encrypted in transmit (when you're accessing it) and at rest (when it's offline)
-Enforce strong passwords and multifactor authentication for access, especially for administrative functions.
-Use logging for access for your systems and for your application (add/moves/changes)
-If you use encryption algorithms in your application, avoid SHA1, DES, and MD5. Use key lengths greater than 1024 bits.
-Don't store private keys on the same system or in code. You should make them non-exportable.
Look for other resources to help you develop a secure system and application.
