| ||
Do test all web input, including forms, with malicious input.
Do understand the strengths and weaknesses of your approach if youre not using cryptographic primitives to solve some of these issues.
Do not embed confidential data in any HTTP or HTML construct, such as the URL, cookie, or form, if the channel is not secured using an encryption technology such as SSL, TLS, or IPSec, or it uses application-level cryptographic defenses.
Do not trust any data, confidential or not, in a web form, because malicious users can easily change the data to any value they like, regardless of SSL use or not.
Do not think the application is safe just because you plan to use cryptography; attackers will attack the system in other ways. For example, attackers wont attempt to guess cryptographically random numbers ; theyll try to view it.