Page Comparison

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on sub-resources.
Note that incorrect TLS certificate verification is a common mistake. For more information, see The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software by Martin Georgiev et al. and Do you trust this application? by Michael Catanzaro.

Note: One aspect of this is that, if something is missing that prevents the TLS from working, the software must NOT fall back to insecure mode but must instead prevent communication. If an insecure mode is allowed, it MUST be explicitly configured.

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replace them without code recompilation.