Does the design address potential cross-site scripting issues?
Does the design partitions the application or Web site into public and restricted areas using separate folders?
Does the design identify all identities that are used by the application and the resources accessed by each identity?
Are administration interfaces secured (strong authentication and authorization is used)?