Secure Website Development

Website security requires attentiveness in all aspects of website design and usage.

Web Standards and Best Practices

Iowa State University units are responsible for creating standards-compliant websites and applications. To comply with web standards, websites and applications must have:

  • Valid HTML, CSS, and JavaScript
  • Meet accessibility standards
  • Valid RSS, metadata, XML, SVG, device APIs, and object and script embedding*
  • Proper settings for character encoding*
  • Web pages should also be optimized for size and download speed.

* required for full compliance

Risk Assessment

All development should take place in a secure environment in compliance with Iowa State IT policy and industry best practices. Development will require a thorough security component during its design phase, in development and implementation, and into maintenance. If an application is determined to be of risk to mission critical data, e-mail the IT Security team during the planning phase. 

Browser and Session Management

  • Use strong Cipher suites (e.g., TLS 1.2 or higher cipher required)
    Note: Encryption adds overhead, so use it where needed
  • Use Themes provided by WebDev
  • Follow Title II of ADA compliance - contact Iowa State Digital Access and Accessibility for details
  • Encrypt sessions and randomly assign session IDs
    Use long token keyspaces(12 digit or longer preferred) and frequent regeneration of session IDs
  • Content of the cookie must not contain or be used to obtain sensitive information
    Users must be aware of cookie usage and be able to delete cookies
  • On log out, the session ID should be over-written

Authentication

  • Implement password rules and policy, including expiry time and recovery procedure for all passwords per Iowa State password policy
  • Passwords and user ids must be received, displayed, transmitted and stored in a secure manner
  • Encrypt entire login using SSL
  • Forms based authentication should not be cached and use POST request and “NO-CACHE” tags in the HTML page
  • To prevent a user id and/or password from being hacked, failed logins should trigger a lock-out after a determined number of attempts
  • All authentication attempts should be logged: log in, log outs, failed logins, password change requests
  • Admins should be notified about lockouts

Authorization and Access Control Session Management

  • Follow the practice of least privilege
  • Deter users from entering file path to gain access to System files
  • Assure that users’ activity is not cached when handling sensitive information
  • Penetration testing will be necessary to assure that every access control has been tested and prevents unauthorized access
  • Provide Pentest results of critical websites (moderate or higher level classified data) to Iowa State IT Security team for review

Data and Input Validation

  • Validate input, headers, cookies, strings and forms by sanitizing it to what the app and database is expecting and not what can be accepted
  • Prevent Cross Site Scripting (XSS) Command Injection Flaws
  • Pentest validation required for Critical websites (moderate or higher level classified data)
  • Report test results to Iowa State IT Security team
  • Convert input symbols to HTML
  • Add quotes to all user input
  • Invalidate or time out session for unacceptable data
  • Prevent Buffer Overflows by restricting all data input fields to a reasonable field lengths and specific data types
  • Error Handling should be tested
    No system information should be passed and only required information should be displayed to better user experience

Logging

  • Log all Authentication and Authorization Events including administrative activity
  • Encrypt where logs are sensitive

Remote Administration

  • Prefer VPN remote logging only
  • Use IP filtering or other industry best practices to restrict unauthorized logging

Web Application and Server Configuration

  • Disable unwanted services, ports and accounts
  • Use recommended certificates and not self-signed ones
  • Disable debugging function

Web Form Policy and Best Practices

This policy outlines the acceptable use of web-based forms managed by Iowa State.

  • Web forms that require personal information from a visitor must post a link to the Iowa State privacy policy
  • Web forms must be created and managed using the University's chosen software solution (current solution: Drupal)
  • Web forms may not collect sensitive data such as:
    • Personally identifiable information (PII) that does not comply with FERPA – contact the Office of the Registrar regarding FERPA compliance
    • Credit card information unless collected via approved University procedures for collecting such data
    • Social Security numbers, birthdates and other private information to reduce inappropriate use by a third party