© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.

Web design security concerns

Security Concerns for Web Site Developers

Simple web pages:
If your site consist entirely of .html files then your concerns for security are very basic:

  1. Is the server you are running on secure
  2. Are the permissions on your files correct

Pages which accept information from the user:
You may think you controll all possible responses from the user on a form by using pull-downs an buttons, but remember that by examining the page sources of your web page anyone with the ability to view the pages and submit the form can also call the program providing any data they wish. You need to have the programs accepting data from users written in to accept and correctly deal with unexpected, and intentionally malicious data provided by the user.
You also need to restrict access to information, like database passwords, which may be required to get access to your data. This is all the focus of good programming practice. No single web page will make you a good programmer. But, here are a few references to use while you are gaining experience.

  1. CGI programming references
  2. PHP/MySQL security information
  3. ASP notes
  4. Cold Fusion notes
  5. Active Perl notes

Pages which deal with confidential information, patient records, student records or financial records:
While the web servers provided and maintained by ITC are adequately secured for most uses, the general-purpose servers (e.g.: www.people.virginia.edu, web.virginia.edu, scs.student.virginia.edu, www.virginia.edu) may not be appropriate for information and services required special security handling. Users contemplating such applications should consult with appropriate security experts for their application area before beginning such projects. Appropriate security needs to be designed in from the start, including appropriate server selection.