Web Related Policies and Guidelines

The City University of Hong Kong (CityU) website provides links to and information about the University, its teaching and research mission, its academic programmes, resources, services and people, to a wide audience of staff, students, alumni, faculties, collaborators, potential employers and visitors. Therefore it is important that the web pages provide the best possible representation of CityU.

With a view to providing a reference site for all departments and offices to refer to when they engage in web publication, the Enterprise Solution Office (ESU) has prepared this guide to the related policies, design guidelines, references etc. that are relevant and certainly useful for publishing on the web.

1. Policies Governing Web Publication

Web publishers at the CityU are responsible for the contents of the pages they publish and are expected to abide by the highest standards of quality and responsibility. These responsibilities apply to all publishers, from academic departments to administrative offices. In addition, publishers should make sure that the use of resources is tied firmly to the mission of the CityU and all web activities must support research, education, administrative processes, community service and legitimate pursuits. They are also required to comply with relevant CityU rules and policies, and international and local laws concerning appropriate use of computers, information and data security.

2. Web Hosting Environment

  • Central web hosting

    Central web hosting service is set up to provide a consolidated, fully monitored and managed environment for hosting departmental web sites or project web sites. The hardware and the software of the central web service are maintained and supported by the ESU while the web page contents and applications are developed and maintained by the departments. Compatibility and technical advice will be provided to assist in the development of a new website or migration of existing websites. In order to provide a stable environment for the web services already hosted, NO development activities is allowed in these web servers. Users are expected to do all developments and testing on their own machines before uploading to the central web hosting servers.

    As highly reliable and secure central servers are used to host these services, web site owners can then concentrate on the development of their web contents or applications without worrying about the server management or operational support of the servers. It also relieves these owners from the burden of keeping the servers secure and the effort to manage them.

    It is hoped that this centralized support arrangement can eradicate the levels of risk of having many web servers distributed around the campus with different security protections. The consolidated infrastructure to host these websites also leverages economies of scale, thereby creating significant cost savings.

    Two hosting environments are provided, they are Drupal (CMS) and Microsoft IIS.

    • Drupal (CMS) is provided as a standard for websites require Web Content Management System.
    • Microsoft IIS is provided as a standard for HTML and web application hosting. It supports HTML, ASP and ASP.NET. Database support is provided by Microsoft SQL Server. Detailed information can be found here
  • Hosting on departmental web server

    Departmental web sites can be hosted on the departmental web server maintained and supported by the department. It is the responsibility of the department to perform proper server management to ensure the server is secured from hacking and attacking activities. Below are some guidelines and notes for maintaining the departmental web server.

    • Apply a domain name for the web server and avoid using IP address in the URL.
    • Complete the server registration for the web server.
    • Devise a backup strategy for backing up the website information and data.
    • Apply latest OS patch.
    • Turn on Firewall (if any) to protect the server.
    • Install anti-virus program and apply its latest patch. Set schedule to update or download the latest virus definition file.

3. Secure Your Website

Departmental and/or project websites represent the University as a whole, therefore attacks by internet hackers causing defacement of websites and information corruption are highly undesirable. To avoid these from happening, below are some guidelines for maintaining a secure website.

  • Tighten the folder and file access control and do not allow any directory in the web server to have both write and execute privileges for the everyone group.
  • Request Information Security Unit (ISU) of OCIO to perform web security scanning when the website is revamped or re-developed.
  • For protected contents those require user login, the corresponding website should integrate with CityU Central Web Authentication Service to facilitate CityU members to authenticate with their CityU's EID and password. (The website should not create local accounts for CityU members.) Departments may submit IT Work Request to the Central IT for using the service.
    For external users authentication, making use of Google accounts, Microsoft accounts, etc. via OAuth or OpenID Connect is highly recommended. Creating system local accounts should be avoided whenever possible.
  • Do not download or run programs from un-trusted sources on the web server.
  • Subscribe to product security notification.
  • For departmental web servers, apply a SSL web server certificate from a CA to protect the sensitive information such as login username and password.
    Department can submit a CSC Work Request and CSC can help to get the SSL web server certificate from Thawte for the departmental web server. The department has to pay for the cost for the SSL web server certificate which is cheaper than that of other CAs.

4. Design and Create a Website / Web page

  • Standard elements of a CityU /departmental web page

    The University Web Templates are designed for all colleges', schools', departments' and administrative units' websites under the City University of Hong Kong. It aims to improve the brand image, web usability, user experience, information architecture and online presence of the University websites.

    The detailed guidelines on the use of the University Web Templates can be found here.
  • Search engine friendly website

    In order to dramatically improve search results within the University site and search engines in general, it is important to include certain search engine specific information on your page as part of the Search Engine Optimization (SEO) strategy. Below are some tips on improving your search ranking which have the best effect if they are applied at the same time and should be good enough to get you started.

    • Good title in the "Title" tag
      Good title in the "Title" tag with descriptive keywords is vital in achieving high search engine ranking.
    • Keywords in "Meta" tag
      You can define keywords and phrases that represent the page content. List the keywords in order of importance.
    • Description in "Meta" tag
      It is used to give a short description of the page. It is indexed by search engines like the rest of the content on your page and should be kept brief, preferably a sentence or two with good keywords.
    • Keywords appear in the first paragraph of the body text
      This helps in determining how relevant the page is to a specific topic or search term. The denser the keywords are within the content, the higher the relevance will be.
    • Avoid using frame
      Search engine may have problems to index the page and even if search engines are able to index your pages, web users who find your page will only be taken to one of the pages within the frameset.
    • Avoid duplicate content
      It is common for a site to have several pages (URLs) listing the same (highly similar) contents. A canonical page is the preferred version of a set of pages with highly similar content. The "rel=canonical" tag lets you suggest the page that search engine should treat as canonical. For example,

      <link rel="canonical" href="//www.cityu.edu.hk/web-guide/">
    • Images and graphics
      Search engines cannot index images and graphics. If having those non-text elements on your page is inevitable, you should write description content for each of them. For example,

      <img src="your_image.jpg" alt=" a brief description of your image ">
  • Best practice and tips for creating a website / web page
    • Use relative path for URLs
      When linking pages within your own site, use relative paths (only filename without the http:// prefix) instead of absolute paths (full URL e.g. //www.cityu.edu.hk/cityu/) which should only be used for linking to pages on other web sites. If you use relative paths, it will save you a lot of maintenance effort when your site is moved to another directory or another server.
    • Use Server Side Includes (SSI) for repeated items
      There are often items like copyright information, navigation menu, headers and contact notices that are repeated on multiple pages. To allow for a single update on all pages, we can use SSI by saving the repeating HTML content (must not contain any HTML, HEAD or BODY tag) in a separate file.

      <!--#include file="path_to_file/footer.htm" -->
    • Use CSS to separate content from page formatting
      The best way to separate content from page formatting is by means of external Cascading Style Sheets (CSS). All design information is kept in one place and when you change the CSS stylesheet, the look of the entire site will be updated accordingly. This greatly reduces maintenance effort.
    • Avoid using tables for layout
      Use div tags and CSS styles instead of tables for web page layout. Tables are mainly used for showing tabula data and not for layout. As far as accessibility is concerned, tables, especially the deeply nested ones, are confusing for visually impaired people who use screen readers to read a page.
    • Avoid using frames
      Some people have difficulty navigating within frames, either because the frames are confusing or because the software they are using simply cannot read frames.
    • Avoid pop-ups if possible.
    • Tag appropriate links as [ppt], [pdf], [staff only], [login required], etc .
    • Share your website to social networks.
      Share you website to others such as Facebook and Twitter etc.
      facebook logo  twitterr logo
    • Web Accessibility
      Web Content Accessibility Guidelines (WCAG) 2.0 from W3C and Web Accessibility Handbook from Office of the Government Chief Information Officer cover a wide range of recommendations for making Web content more accessible.

5. Testing a Website

  • Validate your website by W3C Markup Validation Service.
    This validator checks the markup validity of Web documents in HTML, XHTML, SMIL, MathML, etc.
  • Validate your website by W3C CSS Validation Service.
  • Validate your website by W3C Link Checker.
    w3c validator logo   w3c css validator
  • Browse your website with the most common browsers – Edge, Chrome, Firefox, Safari, etc.
  • Browse your website with different devices – Windows PC, Mac, iOS devices, Android devices, etc..
  • Check for spelling mistakes.
  • Check for broken links.

6. Web Account Maintenance and Quality Assurance

Herein are some good practices that web account owners on the university central web servers (www, www7, wwwstaging) should follow to ensure the wellness of their websites.

  • The university web servers are open to public access, therefore content stored should be properly protected.  Under no condition should it be used for general storage especially sensitive data (e.g. students’ personal data, grades).  Besides, special care should be exercised to ensure the data is properly protected (e.g. encrypted) where necessary during storage and transfer, and removed immediately after use.
  • Users should adhere to the 'Purpose of Usage' specified at the time the web accounts were created. It is critically important that the information provided in the pro-forma of the Annual Renewal exercise is correct and most up-to-date. Inform the ESU via a CSC Work Request should there be any changes such as their usage, site administration or support personnel.
  • Departments are strongly advised not to renew those web accounts which are no longer in use. This is especially the case when departments decided to host their sites elsewhere, e.g. on their own server. If for some reasons they need to keep their web accounts for URL redirection, they should delete all 'old' contents in these accounts and keep only the index file containing the redirection instruction.
  • Often web accounts are shared by a number of staff in the department for maintaining different web pages. The names of these staff, their responsibilities and how they coordinate with each other should be documented. This information is vital especially in the handover of web accounts due to staff departure, change of duties, etc. It is strongly recommended to change the passwords of these accounts by the new site administrators after the handover.
  • If departments do not have the password to access web accounts which were opened long time ago due to staff departure, they should submit a CSC Work request to reset the password and then logon to backup the contents and instruct the ESU to remove the account. Idle or unattended accounts may run the risk of being hacked.
  • To optimize disk resources on central servers (they are university resources), please help to perform the following regularly:
    • Do not use the web account as general file storage.
    • Tidy up the web account by removing out-dated files, not in use files and backup files from the server.
    • Download old version files to your local PC and remove them from the server.
    • Do not upload large volume of pictures and try to use lower resolution and smaller size for the pictures / graphic files that is good enough for display and general printing.
    • Do not upload video to the web server as it is better to put the video on Central video server for better performance with streaming.
  • If there is a considerable upgrade to the web pages, e.g. for a new website or a new feature, in particular those involving programming or database usage; you are strongly recommended to contact the ISU for a web site vulnerability scan before launching the new pages.

Failure to follow the above conditions may result in a breach of security, loss of data, poor performance, etc which may tarnish the name of the department and the university.