Introduction

Below are some best practices for implementing web development site security.

Instructions

1. Review the following standards:
   
   • Minimum Security Standards (PDF)
   • Standard for Securing Web Technology Resources (PDF)
2. Use Virginia Tech Private VLANs for web sites and databases when possible. This is strongly encouraged for areas that expect no off-campus web clients to connect to the service.
   
   1. Have your Network Liaison contact Network Infrastructure & Services (NI&S) to have this setup. 
   2. Continue to monitor and secure the host as if it were connected to the public Internet.
3. TLS
   
   1. Use only TLS 1.2 or higher (currently TLS 1.3 is preferred).
   2. Disable older versions of TLS and all versions of SSL.
   3. Disable weak cryptographic hashing algorithms like RC4.
   4. Use Qualys ssllabs and Mozilla Observatory to measure the website’s TLS configuration.
   5. See Microsoft's link for Managing SSL/TLS Protocols and Cipher Suites for AD FS.
4. The  Information Technology Security Office (ITSO) encourages all Virginia Tech web developers to purchase a copy of Burp Suite Professional and to use it while developing websites and to test vendor provided websites for common defects. Burp Suite Pro is approved for use at Virginia Tech and may be purchased by departments for $399.00 per seat per year. Information about purchasing is available on the Cobblestone site.
5. Use appropriate HTML meta-tags and HTTP server response headers to mitigate the risk of sensitive data exposure. If your web application displays sensitive data to authenticated and authorized Virginia Tech affiliates, disallow caching by setting these HTTP headers:
   
   "Cache-Control", "no-cache, no-store, must-revalidate"
   "Pragma", "no-cache"
   
   And use this HTML meta-tag in each HTML page rendered:
   
   <meta name="robots" content="noindex, nofollow, noarchive, nocache, noimageindex, nosnippet">
   
   
6. If your www site handles/processes high risk data, use a restrictive 'robots.txt' file with this content:
   
   User-agent: * Disallow: /
   
   
7. Create and use a restrictive Content Security Policy (CSP) appropriate for your website. Learn more at the following links:
   
   • Google's Content Security Policy
   • Mozilla's Content Security Policy (CSP)
   • Csper's Secure Content Security Policy
8. Create an appropriate 'security.txt' file for your website. Learn more at the following links:
   
   • Security Vulnerability Disclosure
   • A survey of security.txt
9. Inventory any “in-house” developed web applications in Isora GRC and complete a security assessment.
   
   • Visit IT Risk Assessments for documentation on the inventory and assessment processes.
   • If your department is not yet enrolled in Isora GRC, please contact riskassessments@vt.edu or itso-g@vt.edu to start this process.

Search words: web developer, webdev, tls, ssl, robots, content security policy, isora, risk