I am a web developer, but I have only a rudimentary grasp of security, e.g., be careful to sanitize inputs, store as little user data as possible, encrypt passwords, keep up with security issues of libraries and packages, etc.
Today, I was approached by a client who does financial planning about replacing a spreadsheet he gives clients with a web-based form. The spreadsheet asks users to input certain financial data – e.g., current value of various investment accounts, business interests, etc. These numbers are put into a formula and a value is generated which is supposed to help the user decide whether the consulting could be useful to them.
The phone call was very short, and my questions focused on more mundane matters about user experience, desired UI elements, etc. No commitments have been made, and I’m analyzing the project to see if it’s something I can do. I began to think about potential security issues, and I realized I really don’t know where to start. So far it seems that client wants the form to be accessed via a magic link, and that the user would not enter any personally identifying information. I do not know yet whether my potential client wants to store the value generated, a simple dollar amount which is the ‘benefit’ the user could get by using the service. The impression I got is that my potential client simply wants to use this value as a motivator for clients to inquire further about his services.
My question is this: In this scenario, what security-related matters should I consider?