The following settings should all be considered when configuring AspDotNetStorefront to be secure:

Login/logout

ForceSignoutOnOrderCompletion
SecurityCodeRequiredOnStoreLogin
SessionTimeoutLandingPage
SessionTimeoutWarning.Enabled 

HTTPS/SSL

AlwaysUseHTTPS
GoNonSecureAgain
HstsHeader
UseSSL

Fraud Prevention

Captcha.AllowedCharactersRegex
Captcha.CaseSensitive
Captcha.MaxAsciiValue
Captcha.NumberOfCharacters
ContactUs.UseCaptcha
IPAddress.MaxFailedTransactions
IPAddress.RefuseRestrictedIPsFromSite
SecurityCodeRequiredOnCreateAccount
StoreCCInDB
Web.Config.EncryptionProvider
AddressCCSaltField
EncryptIterations
HashAlgorithm
KeySize
NextKeyChange
OrdersCCSaltField 

Technical 

ContentSecurityPolicy.Content-Security-Policy
ContentSecurityPolicy.Enabled
ContentSecurityPolicy.X-Content-Security-Policy
ContentSecurityPolicy.X-Frame-Options

​