– Use SSL certificates on all sites, including development environments. – Force HTTPS for all connections.