Republic of Lebanon

Security

Font + - Print this PageBookmark and Share
Government owned websites may hold sensitive government and public data therefore the security feature of these websites is of high importance and should be given adequate attention.
  • All testing scripts related files must be removed when the website is deployed on the live environment.
  • Data submitted by users using online forms (such as contact, careers, etc.) must be subject to client-side validation as well as server-side validation. Validation helps in keeping stored data meaningful and clean and helps in preventing hacking attacks.
  • Cookies must not be used to save any sensitive information like user passwords.
  • Captcha” images should be used whenever there are data submission forms used by users in order to prevent automated scripting submissions against the website.
  • Secure Socket Layer (SSL) protocol must be used whenever necessary as it provides data encryption at the communication level. SSL is used to protect from the sniffing of sensitive data like credit card numbers or personal contact information.
  • Access to the back office must be protected by a username/password.
  • A complex password policy must be set for users with access to the back office.
  • If deemed necessary, IP addresses restriction should be used to prevent access to the back office from outside the pre-set IP addresses.
  • Proper security settings on the file system must be configured and set in place. Folders that require only read access must have only read permissions; folders that require write access must have write permissions set to the appropriate user etc.
  • Website files must not be downloadable by the users nor should the users be able to list the content of the website folder in their user agents.
  • Using the folder name “admin” is a wide spread practice for different web-based back office systems, avoiding having the back office main folder name being “admin” is highly recommended as a basic security best practice and must be attended to.
  • All database queries must make use of parameterized queries or stored procedures in order to prevent SQL injection attacks.
  • Appropriate permissions must be set on the database level and properly handled by the database administrator.
    • The database user used within the application must not be a database owner.
    • Proper permissions must be set on the database object level for the database user being used by the application.
    • The database user used by the application must not have drop permissions on any of the database objects.
  • In data-sensitive scenarios, the option of saving encrypted or hashed data should be considered.
    Example:
    Some of the well-known hashing algorithms that could be used are:
    - SAH (Secure Hash Algorithm)
    - MD5 (Message-Digest Algorithm)
  • The website should undergo and pass appropriate security tests that could be provided by specialized security testing service providers.
  • Cross linking between different websites can cause ambiguity for the visitors about the owner of a particular portion of the content and whom to be contacted in case of any query.
    Furthermore, there could be differences in the security domains of two linked websites. It is important to notify the visitors when they are leaving a particular website through a hyperlink and entering another one. Clear indications must be given when leaving the Government site and navigating to another website.
Send Your Feedback
Last updated on: 01/30/2012 - 01:37 PM

All rights reserved ©     Sitemap  |  Copyright  |  Privacy  |  Disclaimer
This site is hosted by the Office of the Minister of State for Administrative Reform (OMSAR).