Websites hosted on the server must be protected behind a centrally-managed Web Application Firewall (WAF). The WAF team will work with site owners to make sure that the WAF does not block legitimate traffic destined for hosted sites.
Web Servers must be kept up-to-date with the latest security and other software patches in compliance with existing policies and best-practices. For website applications, this includes keeping up-to-date not only the base software package(s), but any additional add-ons such as themes, plugins, and modules.
This includes, but is not limited to:
the OS of the web server
the web server software
any packages and libraries involved with serving web content
the software that powers the websites hosted on the server (e.g. WordPress, Drupal, etc.).
Web Servers must store their logs in OIT’s LMaaS (Log-Management as a Service) offering. This includes not only the OS-level logs (e.g. /etc/messages), but also any logs generated by the web server and web applications present on the server.
Web Servers must serve content over https via TLS, with non-TLS traffic (i.e. http) automatically redirected to https URLs. TLS must be configured to use valid, non-expired certificated issued from either InCommon or Let’s Encrypt. The use of HSTS headers to ensure https enforcement is encouraged.
All authentication to web applications hosted on the server must use the Georgia Tech Single-Sign-On service to authenticate. The use of OIT IAM authorization services (e.g. GTED, Shibboleth) is encouraged. The list of accounts given access to web applications on the server must be periodically audited to remove access that is no longer needed, at least quarterly, preferably monthly.
Measures must be taken to prevent hosted websites from being used to send or host spam. This means either disabling all content creation by visitors or vetting all account and profile creations, enforcing captcha on all form inputs, making sure all uploaded files are saved to private directories, and periodically searching for and remove spam content from the site.