- Default to secure cookies (in case var is not defined in config.php) - Enable content security policy - Return HTTP 401 response code for invalid username/password combinations
Marcus Hill