Technical Best Practices for Web Development on the CityU Web

by Helium Hung


The central web hosting service is set up to provide a consolidated, fully monitored and managed environment for hosting departmental and project websites for all departments and offices.
The hardware and software offered by the central web service are maintained and supported by the Computing Services Centre (CSC) while the web page contents and applications are developed and maintained by individual departments. Compatibilities with web standards and technical advices are provided by the CSC to departments to assist them in the development of new websites or the upgrade of existing websites.
Planning a website development
In order to provide a stable and safe web hosting environment for all web sites and services, users are expected to do all the development on their own machines and fully test them on the staging server before uploading to the central web hosting servers. Website administrators/developers are strongly advised to follow the development/staging/production life-cycle for website development (please refer to the article on “www6 Staging Server is Now available” in this issue of Network Computing).
The following steps will assist the website owners and web application developers to understand the central web hosting service provided by the CSC whereby facilitating smooth development and transition to production site.
1.       Web hosting on www6 server ( 
IIS 7.5 on Windows 2008 R2 Server
Database support
Microsoft SQL Server 2008 R2
User testing and training
2.       Read the following documents.
Policy on Central Hosting
Frequently asked questions (FAQ)
3.       Submit an online CSC Work Request to create a web account and/or database account.
a.       Specify the required .NET Framework version (v2.0, v3.5, v4.0).
b.      Specify the database support if there is a need to store data for web forms.
4.       Develop the website/web application on a local workstation or server.
5.       Submit an online CSC Work Request to create a web account and/or database account on the staging server.
6.       Upload the revamped website to
a.       Make sure the web application is fully compatible with the web server and database server.
b.      Make sure the web application has NO high risk security vulnerabilities.
Please refer to the following links:
                                                   i.      Network computing 09/2009 issue
                                                 ii.      OWASP Top Ten Project
7.       Submit an online CSC Work Request to perform a web security scanning for any vulnerability.
a.       Usually, 90% of the vulnerabilities detected are:
                                                   i.      SQL Injection
                                                 ii.      Cross Site Scripting (XSS)
                                                iii.      Cross-Site Request Forgery (CSRF)
b.      Read the OWASP Top 10 Document for more details.
8.       Upload the ready-to-launch website to the www6 server.
According to the audit policy for central production server, any changes made to the web hosting and database servers must be recorded by CSC Work Request with justification, and approved by the CSC/Central IT. Situations where you may need to submit CSC Work Request are:
§  Create .Net framework application for sub-folders
§  Folder write permission for web application to generate data files
(To reduce the security risk, it is highly recommended to use a database for file storage)
§  SQL database backup, restore, quota change
§  Web account quota change
Best practices for building dynamic websites
The following tips are the best practices recommended for website owners or developers:
·         Do not keep backup files on the production site as disk space is limited.
·         Use a MS SQL user account with read-only permission whenever possible.
§         When you just need to display the database data without the need to update, you must use read-only permission in order to prevent the SQL injection attack.
·         Always use SSL (https connection) for logon pages
·         When coding logon pages, add codes (see sample coding below) to check whether https connection is in use. If non-secure connection (http) is used, redirect itself to the logon page with https protocol in order to make sure SSL is used.
Sample coding [Visual Basic]:
If not Request.IsSecureConnection Then
Response.Redirect("https://" & Request.ServerVariables("HTTP_HOST") & Request.ServerVariables("URL"))
End If
·         Carefully filter illegal input; allowing only a strict pattern of users' input.
For example:
1.       Validate the phone numbers by allowing digits and valid characters only.
2.       Validate the length of input by a certain value
(Note: Program generated hidden query variables are also needed to be validated.)
·         Add CAPTCHA to web forms to prevent DoS attacks.
§  You can use the free google captcha:
§  Or, CSC provides BotDetect CAPTCHA for .Net 2.0, 3.5.  Submit an online CSC Work Request to obtain the BotDetect assembly file
·         Disable ASP.NET Application Level-Trace Log
To do this, locate the ‘trace enabled’ tag in your ‘web.config’ file and change the value to "false":
<trace enabled="false" />
·         Turn off detailed .NET error message
To do this, locate the ‘customErrors’ tag in your ‘web.config’ file and change the value to "On" or "RemoteOnly":
<customErrors mode="On" />
·         Use only Unicode code page for output in order to avoid ASP.NET or ASP Unicode Conversion Cross-Site Scripting.
To do this, add the following lines to your ‘web.config’ file:
<globalization responseEncoding="utf-8" />
·         Change the maximum request length if you need to upload large data file (> 4MB) in a web form.
To do this, add the following lines to your web.config file:
<httpRuntime maxRequestLength="10240" executionTimeout="3600"/>
·         Add NOINDEX meta tag to prevent dynamic pages from being crawled by search engines.
For Yahoo and Google, the tag should look like
<META NAME="robots" CONTENT="noindex">
For MSN, the tag should look like
<META NAME="*" CONTENT="noindex" />