Third­party Applications

It’s the responsibility of the site owner to ensure installed third-party applications and related modules are updated and patched. Applications that are not updated are often vulnerable to security problems.

Form Validation

All input received via form needs to be validated to ensure the integrity of the data. Do not rely on client-side validation such as JavaScript. JavaScript can be turned off by the client, which will override your validation rules. Server-side validation should be used to ensure data is input as expected. Some parameters that should be considered include:

  • Length of input
  • Data types of input
  • SQL injections
  • Cross-site scripting

For details on what information can and cannot be requested in forms, and other privacy-related issues, refer to Privacy.


When using databases for your website, static queries should be used, if possible. Otherwise, use prepared statements for dynamic queries. Stored procedures and views should also be considered.

Connection strings should never include embedded usernames and passwords. Use Config Vars available through the Webman application to manage your credentials. For more information about Config Vars, please visit the Webman Guide.

Databases should never contain sensitive data such as Social Security numbers. Please contact ITS if your application needs to store sensitive information.


Any application or website that requires a user to log in needs to use SSL. The official RIT Web hosting environment supports an SSL certificate enabling users to send credentials over https. When .htaccess files are used for authentication, the SSLRequireSSL directive should be set.

Authentication (Login-restricted Websites)

Websites or applications should use RIT Single Sign On (SSO) for authentication whenever possible. Avoid developing your own authentication. Note that authentication via LDAP, either OpenLDAP ( or Active Directory, is deprecated and should be converted to SSO. Consult the Authenticating and Authorizing RIT Users page for more information on the use of SSO in the web environment.


When developing PHP applications, consider the following:

  • Errors should never be displayed in production
  • When developing applications in the staging environment, consider password-protecting your site
  • Leave register_globals set to “off”
  • Dynamic HTML content should be encoded using htmlentities()
  • Phpinfo() should never be visible on any public-facing site
  • Leave the directive allow_url_fopen set to “off”
  • Test your PHP applications after upgrades are performed
  • File system permissions should be set appropriately. On the official Web hosting environment user and group read, write, and execute is sufficient.


Directories should not be browsable. A browsable directory is one where a default Web page doesn’t exist. As a result, all the files in that directory are listed. To stop a directory from being browsable, simply add an empty index.html file.