Web Application Development and Security
This Practice Directive defines requirements for Web application development and security for all SF State Web applications deployed on or off-campus.
Purpose and Scope
This Practice Directive defines requirements for Web application development and security for all San Francisco State Web applications deployed on or off-campus. This applies to any Web-based technology purchased, obtained at no cost or developed in-house.
It is the responsibility of unit managers to follow Web application development and security standard policies. This Practice Directive focuses on Web application development standards and is intended to complement the patch management, server management and change management policies that must also be followed.
For the purpose of this Practice Directive, sensitive data is defined as information that is not intended to be public, including data classified by the California State University (CSU) as Levels 1 and 2.
- Valid Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates must be used for all sensitive information in transit between the client, server and other servers
- Production services that use TLS/SSL certificates must obtain them from a recognized Certificate Authority (CA)
- Applications using cryptography must use industry standard algorithms and implementations
Authentication and Authorization
- Shibboleth should be used to authenticate users from SF State and other InCommon Federation members
- If Shibboleth cannot be used to authenticate users from SF State, then SF State Active Directory (LDAP) must be used
- Web applications that process sensitive data must verify authorization for each request
- Web applications must validate all data for expected values
- Web applications must use server-side validation
- Web applications that use data from another source must take steps to ensure the external data is trustworthy
- Web forms and interactive elements must use a secure token to verify the user intentionally initiated the request
- Web applications must validate all data that is passed to interpreters, including Web browsers, database systems and command shells
- Web applications must only send data and code to the browser that the user is authorized to see or use
- Web applications must set the 'secure' flag for cookies that contain sensitive data to ensure they are only sent over secure connections
- Web applications must keep session times to the minimum duration necessary for operation
- Web applications must have server-based disconnects
- Web applications must use a secure session key/token to avoid sending 'hidden data' to the browser
Related Practice Directives
- Patch Management
- Change Control
- Server Security
- Application Development
- Administrative Account Access Control