Web Application Development Standards

Web applications developed for the California Department of Education (CDE) must adhere to specific standards pertaining to security, consistency, functionality, and look and feel.

The following Web Application Development Standards are divided into two sections, All Web Applications, which apply to all web applications developed, procured, or maintained for CDE, and CDE Web Applications Only, which additionally apply to those applications that are considered to be part of the CDE’s own websites. Usually, CDE web applications have the look and feel that is the same or similar to the CDE website.

Visit the CDE Web Standards to determine if these standards apply to a specific web product and to determine which other web standards might apply.

All Web Applications

General Standards

Web applications must meet the following general standards:

• Must be easy and intuitive to use for the target audience.
• Must function in a logical manner for the target audience.
• Must use styles that are consistent throughout the application and within the associated website, including:
• The use of capitalization (e.g., title case vs. sentence case).
• The use of punctuation (e.g., consistent use/no use of colons on labels).
• Error messages must appear in a consistent location and style.
• Consistent use of any web document notations (e.g., PDF, DOC, etc.).
• Layout/spacing (e.g., the space between a field label and input control).
• Descriptive metadata titles and descriptions.
• Must adhere to industry best practices. 
• Form controls that are not available must be hidden--no use of inactive controls.

Development Technology, Programming Language, and Web Server Software

Web applications require the use of the following (or higher) technologies:

• Framework: Microsoft ASP.NET or Microsoft ASP.NET Core
• Development Environment: Microsoft Visual Studio 2017
• Server Side Programming Language: Microsoft C#
• Database: Microsoft SQL Server (supported version by Microsoft)
• Web Server Software: Microsoft IIS

Minimum Browser Standards

Web applications must function and display properly in the browser versions that are listed on the Minimum Web Browser Requirements page.

Web applications must be thoroughly tested in all required browser versions.

Responsive

Public facing web applications must be responsive. The application must resize correctly and be functional on mobile devices.

Tables for Layout

Tables used for the purpose of positioning content on a web page are not allowed.  The only exception is the use of layout tables for .NET radio button and checkbox control lists.  Refer to the Design Standards for the CDE Internet and Intranet Web sites or the External Web Page and Application Design Standards for more information.

Navigation

Every web page in the application must have one or more links or control buttons that allow a user to navigate back and forth within the application without having to use the back button or other browser navigation functionality.

Validation of Form Input Fields

Form fields must be validated to ensure required fields are completed, numeric fields have numeric data, and data input is properly formatted (e.g., date, email address).

Exception Handling in Server-side Code

Code exceptions must be handled in a user-friendly manner by displaying a custom error page that does not display information such as database object names or source code.

ASP.NET applications must use <customErrors mode=”RemoteOnly”> in the web.config file so detailed errors are not displayed to the user.

Input Buttons

Use standard input/submit buttons instead of image buttons.  For example, do not use the IMG tag with surrounding A HREF and JavaScript for an input button, such as:

<a href="javascript:document.form_name.submit();"><img src="image_name.extension"></a>

The HTML Label Tag

The HTML Label tag must be used to associate a text description to a form field.

HTML Code Validation

The HTML code in all web applications must be valid via a reputable validation technique, such as W3C or by using the HTML Validator Firefox add-on .

Input Textbox Display Width

Textbox input controls in a web form must have properties set for display width and maximum input characters.

Javascript Usage

The use of Javascript is allowed for client-side data validation and manipulation as long as the script is invoked as a result of a user action (i.e., button selection, dropdown selection, movement to another form field, etc.).

AJAX

AJAX elements can be included as long as there is an equivalent non-AJAX alternative that produces the same results or provides the same functionality.

System/Application Names

System/application names should name the system or describe the purpose of the system. They should not include reference to previous systems or terms related to the development of the system. For example, do not use terms in system titles, such as: Update, Redevelopment, Redesign, or Replacement. These are suitable for proof-of-concept and testing systems only. For example, don't title finished systems:

• Grant System Update
• Redesigned Demographic Reporting
• Replacement of the District Notification Tool

Items Specific to the Required CDE Development Environment (i.e., ASP.NET, Visual Basic/C#, SQL)

Post Compiled DLLs Only

ASP.Net code-behind files (e.g., .aspx.vb) must not be posted to a production web server. Instead the code-behind files must be compiled into DLL files using Visual Studio's Publish feature.

Database Standards

Microsoft SQL Server (supported version by Microsoft) is required if a database is used.  Additionally, the following requirements apply to all database-backed web applications.

• Use Microsoft SQL database objects (stored procedures, views, functions, etc.) when the application accesses the database to prevent any potential application security vulnerabilities. 
• The application SQL logon must be granted the minimum rights to execute or select the necessary database objects to communicate with the database (i.e., execute on a specific stored procedure.)
• The application SQL logon cannot have direct access (read, insert, update, etc.) to database tables.

CDE Web Applications Only

Mixed-case Filenames

Source files for web applications may contain mixed-case filenames.  However, when linking or redirecting to files, specify lowercase filenames to ensure that all visible URLs use all lowercase characters.

System-wide CSS and Header/Footer Include Files

System-wide CSS, header/footer include, and image files should be used for web applications hosted on CDE web servers.

Last Modified Date

Use of the term “Last Modified” (as used on CDE web pages on CDE's primary website) is not allowed in CDE web applications. In a web application, the term does not clearly indicate what was modified (the application, the page, the data?).  However, dates can be relevant if the web page displays date-sensitive information, or where the report date may be valuable to users.  Examples of appropriate dates on web application pages include:

• Report run on November 18, 2022
• Data updated on November 18, 2022

Compiling the Web Application to be Updatable

When compiling an ASP.NET web application in Microsoft Visual Studio, the application must be compiled as updatable. To accomplish this, when publishing the web application, select the checkbox entitled "Allow this precompiled site to be updatable." This approach ensures that the application code will continue to reference the system-wide include, CSS, and image files on the hosting server.