- Follow the UK Home Office security guidelines for developers
- Always use TLS 1.2 encryption to my service and to dependent services (even datastores)
- Use SSO for users and not hold users locally
- Have a way of providing auditable information on myself
- Have authentication / authorization for dependent services where data needs to be protected