In order to provide a more secure and stable environment for university users, web applications and database-driven websites must comply with the following standards.

VCU specific checklist


  • All websites are loaded over HTTPS with a valid certificate. Websites should not use or include any resources loaded explicitly over HTTP.
  • All pages asking for logins or passwords are loaded over SSL.
  • Sensitive student and health data is protected by secure passwords. Sensitive data that may be requested through forms on your site is transmitted over a secure connection.

Third-party web applications

We ask that you notify Web Services via email if you install third-party web applications on any centrally-hosted servers. In addition, you will be responsible for maintaining the application and keeping it patched and up to date. If a system upgrade breaks the functionality of a third-party application, it will be your responsibility to work with the vendor to fix it.

Hosting third-party applications that provide similar functionality to centrally run applications (such as blogs, wikis, web analytics, etc.) are not allowed. Web Services provides these services centrally in order to decrease the maintenance and potential security hazards of un-maintained third party applications. If the centrally run application does not provide the functionality you require, please let us know and we will work with you to find a way to provide it.

Vulnerability scanning

According to the VCU Security Standard for Web Servers and Applications, any websites or web applications that write data to a database must be scanned for vulnerabilities including cross-site scripting, SQL injections, and other potential exploits. Applications must be scanned annually or after any significant changes. You can submit your website or application to be scanned through the VCU IT Professionals Intranet.

User authentication

Any application or website developed on campus that requires user authentication must use the VCU Central Authentication Service (CAS). Most centrally managed VCU web servers are configured to support CAS already. Contact Web Services for more information about how to implement CAS with your application or website.

The VCU Central Authentication Service can also be used on static websites to provide eID-based password protection to specific folders within a website.

Commercial or open-source products that are purchased or acquired for specific applications are not required to support CAS; however, if CAS is available as an option for user authentication within the application, we strongly recommend that you use it.