What are the best ways to prevent your website from being Phished?

Question

What are the best ways to prevent your website from being Phished? Please cite some technical suggestions and references if possible.

Thank you!

Answer 1

Websites aren't phished -- users are. The most you can do is get an SSL certificate and, on your login screen, make a huge deal about golden padlocks and domain names (thanks codeka) and such.

Answer 2

Not sure if this is what you mean, but sometimes websites can be "hijacked" using CSRF or XSS attacks.

XSS can particularly happen when you allow users to enter arbitrary text and don't ensure they're not entering arbitrary HTML code.

CSRF can happen if you don't ensure a link someone clicks in their browser originated from your website (they can authenticate on your website, get a cookie indicating they're authenticated, open a new tab, and be tricked into clicking a link on another website in the other tab that points to your website and causes some action to happen there).

Those links discuss mitigation strategies.