Web Best Practices & Guidelines

Web Browsers & Devices

Howard University websites are optimized and tested to ensure they function on the latest versions of commonly used web browsers, as well as devices, as noted below.

If you are using a different browser, or an outdated version of a browser, we cannot guarantee optimal site functionality or security.

If you experience a technical issue with a site, please first make sure that your browser is up to date.  If it is up to date and you still experience an error, please contact the Digital Strategy and Web Services team to report the issue.

If you need assistance updating your browser, please see below for helpful links.

Browsers

  • Mozilla Firefox: Download or update to the current version
  • Google Chrome: Download or upgrade to the current version
  • Safari: Download or upgrade to the current version
  • Internet Explorer: We never recommend using Internet Explorer. However, if you do so, please make sure that you use the current version
  • Microsoft Edge: Download or upgrade to the current version (Edge browser is only available to Windows 10 and Windows 10 Mobile users)

Devices

Howard University websites are optimized and tested to ensure they function well on different screen sizes, including desktops (Mac and PC), tablets, and mobile devices (iPhone and Droid-based devices).

General Web Guidelines

The Digital Strategy & Web Services Team requires that all Howard sites follow established industry standard best practices in site development, hosting, and post-launch maintenance. In order for a Howard constituent website to be approved for use as a Howard subdomain, and therefore become an official part of the Howard web family, the following criteria must be met.  Contact Digital Strategy & Web Services with questions/concerns.

Howard Sites Requirements

  • Browser compatibility with our list of recommended browsers
  • Baseline SEO (page titles, automatic page names, semantic HTML/CSS, meta-data, etc.) which will improve search engine placement
  • Compliance with the most recent iteration of Web Content Accessibility Guidelines 2.1 (WCAG) guidelines
  • Optimization for fast download (images, code, etc.)
  • Responsive design tuned for browsers running on 16:9 mega-screens, smaller desktops/laptops, and in the most popular tablet and mobile platforms—iOS (iPhone, iPad, iPod) and Android
  • Information architecture is well thought out, which facilitates as few clicks as possible to get to desired information
  • Use of an SSL certificate to force https rendering of all pages for a site is highly recommended
  • If a site uses any webforms or allows for user input to be passed through the site, then use of an SSL certificate to force https rendering of those particular pages is required
  • Site speed: initial homepage load time should be < 5 seconds (as measured by webpagetest.org)
  • Site caching for dynamic websites is highly recommended
  • The developers and site owners of a new site must conduct thorough testing of the originally outlined site requirements to be sure that the site functions as expected, meets the standards listed on this page, as well as meets Howard's web style guidelines. 
  • Please request a site review to ensure that your site or site-to-be-launched meets the requirements. (Site review can take up to 7-10 business days to complete after a request is received)
  • Meet Enterprise Technology Services' (ETS) site and hosting security guidelines.
  • Contact Web Services at Howard to request a security audit.
  • Must be hosted in a hosting environment or cloud hosting account that is owned by a Howard University entity, and not a personal one
  • Enterprise Technology Services (ETS) Security Team has signed off on site launch
  • For Howard stakeholders, we provide recommendations on how to correspond with 3rd party vendors hired to build a university website.
  • Site built in Drupal or otherwise agreed-upon CMS and meets Drupal requirements as provided by the Web Services at Howard Team
  • Unless permission is obtained directly from DSWS, the use of a public-facing webform to collect information from users is limited to information common to basic "contact" forms, which can include name, phone number, email address, and a the submitter's message. A form should never ask for sensitive information, unless explicitly approved by the Office of University Communications.

Security Requirement for University Websites

The objective of this document is to provide a set of security checklist for the redesigning of University Website. It provides the security requirements that should be articulated to developers, to make necessary contractual agreement with developers, and to ensure that the necessary testing is completed prior to deploying these applications.

The security requirement below is intended to provide a basis for securing University websites, web applications, and databases from malicious and unintentional abuse.

Risk Assessment

All applications should be examined to determine if it is connecting to a critical database and the confidentiality, criticality, and vulnerability assessed. The mitigation of risk to a realistic and acceptable level is required for all applications that will be connected to critical databases. The Family Educational Rights and Privacy Act (FERPA) mandate that the confidentiality of student data be protected. Databases that store personally identifiable information (PII) requires appropriate security in place to protect the
confidentiality of this data.

Authentication

This is the first line of defense in protecting critical data asset. To ensure that the application denied unauthorized access to critical data, there should be a designed, developed, and documented authentication polices, processes, and logging that will identify the true owner of a user id and password. The policies and processes should enforce strong password with a minimum of eight characters with a mixture of numbers, upper case letters, lower case letters, and symbols.

Authorization and Access Control

This provides a security strategy to protect the front-end and back-end data, operating system, and modification of applications. Deploying a role base approach where users are defined based on a least privilege model. There should be a description of all the fields and tables, the expected values of a field and data length, and permissions assigned to fields.

Ensure that users cannot browse beyond their user role rights. Prevent user activity from being cached when handling sensitive data. Penetration test should be conducted to assure that all access control has been tested and denied unauthorized access prior to deploying the application.

Session Management

Deploy security measure that will protect the session IDs throughout their life cycle. This will prevent an unauthorized user from hijacking a session and assume the valid user’s identity.

Data and Input Validation

Address Cross-Site Scripting, command injection, buffer overflows, and error handling during the design and development phase of the application. Prevent the applications from creating an output from user input without validating the data. Limit user access to only SQL stored procedures that are required. All applications that accept input from users via a HTTP request must be reviewed to ensure that it can identify large input. All inappropriate data that is identified should be dropped and activity logged.

Web Application and Server Configuration

Patch management policy and procedure should be implemented that will ensure that “out of the box” server/application vulnerabilities are addressed. Implement server deployment policy and procedure that will ensure that only processes that are needed turned on and unused port closed.

Logging and Auditing

Implement logging and auditing policy that will provide individual accountability and is a requirement in any legal proceedings.