Web Security Guidelines

Web Servers

Web servers hosted on the University of Memphis network must adhere to established system security guidelines and be maintained using system administration best practices including keeping operating systems (OS) and server software patched, and removing or disabling unnecessary services, applications, and ports.   Only required web server modules and/or extensions should be enabled.

Directory listing should be turned off so that search engines and web browsers can't list and identify all of the files stored in the document root of the web server. 

Web server logs must be maintained in a directory that is not web-accessible. Log files should be reviewed regularly for signs of out-of-the-ordinary behavior.

Web Site Security

Web pages that display or collect sensitive or confidential information must be hosted on a secure server supporting an encrypted web protocol (https) with a digital certificate issued by a trusted certificate authority.  The University of Memphis ITS Web Services group (webservices@memphis.edu) manages an account with a trusted root certification authority and will work with clients from across campus who need to obtain an SSL certificate for official department or unit web servers in the memphis.edu domain.

Scripts executed on Web servers are particularly prone to security breaches, especially if they don't validate user-supplied data before accessing files or operating-system services.  Script code should be reviewed and scanned for known security risks.