9I制作厂免费

9I制作厂免费.CA / Web Services / Resources / Digital standards / Protect websites and users' data

Essential web security guidelines for site owners

9I制作厂免费

As a website owner, maintaining the security of your site is a crucial responsibility to protect your users and ensure the confidentiality, integrity, and availability of your website.

This document provides high-level recommendations for site owners along with resources for technical staff. By adhering to these guidelines and using the resources provided, site owners can safeguard their websites at every stage of their lifecycle. This guidance applies to all platforms hosting 9I制作厂免费 websites, promoting consistent security measures across all systems.

Hosting your site on 9I制作厂免费's centrally-supported Web Management System (WMS), Web Services will ensure compliance with all guidelines below except #9 and #10.

  1. Keep software up to date

    Regularly update all software components, including the operating system, web server, database, and third-party libraries or plugins. Establish a patching strategy. Subscribe to vulnerability and application feeds so you can identify vulnerabilities as they become known. Scan your application for known vulnerabilities on a regular basis.

    Maintain a list of web applications under your responsibility along with their risk, criticality and data classification. Limit your attack surface by disabling accounts, services and applications that are not needed and decommissioning unused servers.

    Technical implementation resources

    • (NIST)
    • (Canadian Centre for Cyber Security)
    • (OWASP)

  2. Use strong passwords and authentication

    Use centrally-supported authentication systems with Multi-Factor Authentication (MFA) where possible. If you cannot integrate with a centrally-supported authentication system, then establish a strong password policy for both users and service accounts. Manage accounts following the principle of least privilege and Role-Based Access Control (RBAC).

    Technical implementation resources

  3. Secure architecture

    Segregate your web service components (Presentation, Application and Database tiers). Protect your Internet-facing services with a proxy and a Web Application Firewall (WAF). Implement redundancy, have a Disaster Recovery Plan (DRP) and test it.

    For web applications and services hosted outside of 9I制作厂免费, follow the Cloud Service Acquisition Process and Policy on the Responsible Use of 9I制作厂免费 Information Technology Resources. Indicate on the homepage that the website is not hosted by 9I制作厂免费.

    Technical implementation resources

  4. Write secure software

    Implement security measures to protect against common web vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). Validate user-uploaded files. Use session management toolkits, expire session data and use cookie security flags. Include a Content Security Policy (CSP) and other common HTTP Security Headers.

    Include code reviews and static code analysis in your development process. Have a change control process and ensure all changes are justified, documented and tracked.

    Technical implementation resources

    • (OWASP)
    • (OWASP)
    • (OWASP)
    • (Canadian Centre for Cyber Security)

  5. Secure data transmission

    Use HTTPS to encrypt data between your website and users, and ensure your server uses a valid SSL/TLS Certificate. Use to ensure that browsers automatically interact with your website with HTTPS.

    Technical implementation resources

    • (Canadian Centre for Cyber Security)
    • (OWASP)
    • (OWASP)

  6. Backup data regularly

    Back up your website content, configuration, and operating system on a regular basis. Test your backup recovery process to ensure backups can be restored successfully when needed.

    Technical Implementation Resources:

    • (Canadian Centre for Cyber Security)

  7. Monitor and respond to security incidents

    Monitor your web server and application logs to enable incident detection and investigation. Log all authentication activity, privilege changes, and suspicious activity (e.g., multiple failed logins or unusual volume of traffic). Have a log retention policy.

    Have a security incident response plan ready for emergencies. Keep a contact list for technical support. Be ready to isolate compromised areas and notify key contacts in case of a breach or defacement.

    Immediately report any suspected or confirmed breach or defacement to facilitate investigation and guidance from the Information Security team.

    Technical implementation resources

    • (OWASP)
    • (OWASP)
    • (Canadian Centre for Cyber Security)

  8. Security testing

    Conduct regular security testing, including Vulnerability scans and Penetration testing, to identify and address potential security issues.

    Technical implementation resources

    • (OWASP)

  9. Protect websites and users' data

    If your website needs to store, process or transmit cardholder data for credit and debit card payments, please get in touch with Financial Services. Ensure you follow and 9I制作厂免费's Merchant Policy & Procedures.

    Protected and Regulated data should not be published on a website.

    On 9I制作厂免费 websites, Personal Information (PI) can only be collected using .

    Technical implementation resources

  10. Educate your team

    Ensure all team members understand basic security principles and stay informed about emerging threats. Regular training can help prevent avoidable mistakes.

    Technical implementation resources

    • (9I制作厂免费)
    • Secure Your Journey (9I制作厂免费)
    • 听(Canadian Centre for Cyber Security)

Adhering to these guidelines and utilizing the additional information in the reference links can greatly minimize the risk of security breaches and protect your website and its users. For further assistance, contact the on the to reach the IT Security team for consultation. For the 9I制作厂免费-supported Web Management System (WMS), see the Web Services Contact us page.

Definitions

  • Attack surface All possible vulnerabilities in a system that could be exploited by an attacker.
  • CSRF (Cross-site request forgery) Attack A type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts.
  • Logging Operating Systems, Databases, Applications, Web Servers and APIs all have the ability to create a log of actions that take place during their operation.
  • Multi-Factor Authentication (MFA) In order to prove their identity, a user has choice between multiple factors: something you have (e.g. a smartcard, USB stick with a secret token, a TLS Certificate, etc.), something you know (e.g. A password, a PIN, etc.), and something you are (e.g. anything related to biometry: fingerprint, eye iris, etc.).
  • Patching strategy Process of identifying, acquiring, testing, and installing vendor-issued software updates (also known as patches).
  • Penetration testing Authorized simulated cyberattack performed to find vulnerabilities and evaluate the security of a system.
  • Principle of least privilege Concept which maintains that a user or system should be granted access only to the resources that are necessary to perform their jobs.
  • Proxy Server application that acts as a gateway between a client (e.g. web browser) and a resource (e.g. web server).
  • Role Based Access Control (RBAC) Security model that restricts access based on predefined roles. Instead of assigning permissions to individuals, RBAC assigns them to roles, which users are then assigned to.
  • Redundancy听Intentional duplication of components of a system, with the goal of increasing reliability in case of failure in one or more components.
  • Vulnerability An application, system, device, or service that contains a bug, flaw, weakness, or exposure that could compromise confidentiality, integrity, or availability.
  • Vulnerability and application feeds Communication channels vendors use to share information about their software, including newly identified vulnerabilities and ways to address them.
  • Vulnerability scan Identifying weaknesses in an information system, its security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
  • Web Application Firewall (WAF) Software that protects a web application by filtering, monitoring or blocking HTTP traffic based on a set of rules.
  • XSS (Cross-site scripting) attack A type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.
Back to top