• Force a complex password policy and use anti-automation to avoid credential stuffing attacks.

  • Usage of strong authentication mechanisms involving 2FA / MFA are recommended.

  • Require input validation on both the client and server side of your application.

  • Use role-based authorization with least privileges as default.