Skip to main content
California Department of Education Logo

Web Application Security Standards


Visit the CDE Web Standards to determine if these standards apply to a specific Web product that is being developed and to determine which other standards might apply.

Application-level Security

  1. Web applications will be secured from "SQL Injection Attacks" where the attacker enters SQL commands into Web form input fields or URL querystrings to try to manipulate the SQL statement being sent to and from the database. The following methods to avoid SQL injection attacks should be used:
    • Use of parameterized queries or stored procedures to access a database as opposed to using string concatenation
    • Limit the amount of characters in Web form input fields and URL querystrings to a proper amount
    • Validate text input and URL querystrings for improper characters (e.g. apostrophe, dash)
    • Do not display errors to the user that contain information about the database or actual source code
  2. ASP.Net Web applications must be secured from "Cross Site Scripting" (XSS) attacks. To accomplish this, developers must ensure that the ASP.Net "validateRequest" Page directive is set to True (the default setting) so that users of the application are prevented from entering HTML or JavaScript code into Web forms. Request Validation - Preventing Script Attacks (Outside Source) is a white paper that provides excellent information on this issue.

Data Transmission Security

When confidential or sensitive data is passed between the end-user and the Web server, the HTTPS (SSL over HTTP) protocol will be used. SSL provides server authentication, data encryption ("over the wire"), and data transmission integrity. The SSL certificate used on the Web server will need to be "trusted" by the Web browsers listed on the CDE’s Minimum Web Browser Requirement Web page.

Database Security

  1. Web applications should use minimum privileges to access database objects (i.e. tables, views, stored procedures). For example, if the Web application needs read-only access to a specific database table, the database permissions should be set accordingly as opposed to giving the Web application "admin or owner" rights to the entire database.
  2. Individual database fields storing confidential or sensitive data (e.g. passwords, social security number) must be stored using encryption techniques.

Password Requirements

Passwords whether created by application developers, administrators, or users must meet or be required through validation to meet all of the following parameters. Passwords must:

  • Be at least eight characters in length.
  • Contain characters from three of the following four categories:
    • Uppercase letters (A though Z)
    • Lowercase letters (a through z)
    • Numbers (0 through 9)
    • Special characters (!, @, #, $, ^, &, *, -, =, _, +, ?)
  • Not be the same as the logon or user name.
Questions:   Web Services Office | tsdweb@cde.ca.gov
Last Reviewed: Thursday, May 28, 2015

Share this Page

Recently Posted in Department Information

  • Objection to Disclosure of Student Information (PDF) (added 01-Feb-2016)
    Notice provided pursuant to the Family Educational Rights and Privacy Act (FERPA) regarding the Court’s Order in Morgan Hill Concerned Parents Association and the Concerned Parent Association v. California Department of Ed
  • Notice of Disclosure of Student Records (PDF) (added 01-Feb-2016)
    Notice provided pursuant to the Family Educational Rights and Privacy Act (FERPA) regarding the Court’s Order in Morgan Hill Concerned Parents Association and the Concerned Parent Association v. California Department of Ed
  • Morgan Hill Case (added 01-Feb-2016)
    Notice provided pursuant to the Family Educational Rights and Privacy Act (FERPA) regarding the Court’s Order in Morgan Hill Concerned Parents Association and the Concerned Parent Association v. California Department of Education.
  • EEUCPAO Annual Summary (added 29-Jan-2016)
    The EEUCPAO Annual Summary of UCP Discrimination Appeals (received on or after July 1, 2015)
  • Frequently Asked Questions (added 29-Jan-2016)
    School Success and Opportunity Act (Assembly Bill 1266) Frequently Asked Questions.

  • Legal Advisory (added 29-Jan-2016)
    Legal Advisory regarding application of California’s antidiscrimination statutes to transgender youth in schools.
  • Nondiscrimination in Public Schools brochure (DOC) (added 29-Jan-2016)
    The California Department of Education is committed to and expects school districts to create and maintain a non-discriminatory and safe learning environment.
  • Associate Governmental Program Analyst (DOC) (added 26-Jan-2016)
    Bulletin advertising for an Associate Governmental Program Analyst vacant position in the Nutrition Services Division. May consider Staff Services Analyst.
  • Education Programs Consultant (DOC) (added 26-Jan-2016)
    Bulletin advertising for an Education Programs Consultant vacant position in the Improvement & Accountability Division. May consider an Education Programs Assistant.
  • Automotive Equipment Operator II QAQ (DOC) (added 19-Jan-2016)
    Qualifications Assessment Questionnaire for the Automotive Equipment Operator II exam in the CA Dept of Education.