Web Application Development Standards
Web applications developed for the California Department of Education (CDE) must adhere to specific standards pertaining to security, consistency, functionality, and look and feel.
The following Web Application Development Standards are divided into two sections, All Web Applications, which apply to all web applications developed, procured, or maintained for CDE, and CDE Web Applications Only, which additionally apply to those applications that are considered to be part of the CDE’s own websites. Usually, CDE web applications have the look and feel that is the same or similar to the CDE website.
Visit the CDE Web Standards to determine if these standards apply to a specific Web product and to determine which other Web standards might apply.
All Web Applications
Web applications must meet the following general standards:
- Must be easy and intuitive to use for the target audience.
- Must function in a logical manner for the target audience.
- Must use styles that are consistent throughout the application and within the associated website, including:
- The use of capitalization (e.g., title case vs. sentence case).
- The use of punctuation (e.g., consistent use/no use of colons on labels).
- Error messages must appear in a consistent location and style.
- Consistent use of any web document notations (e.g., PDF, DOC, etc.).
- Layout/spacing (e.g., the space between a field label and input control).
- Descriptive metadata titles and descriptions.
- Must adhere to industry best practices.
- Form controls that are not available must be hidden--no use of inactive controls.
Development Technology, Programming Language, and Web Server Software
Web applications require the use of the following (or higher) technologies:
- Framework: Microsoft ASP.NET 4.7 or Microsoft ASP.NET Core 3.1
- Development Environment: Microsoft Visual Studio 2017
- Server Side Programming Language: Microsoft Visual Basic 2017 or C# (C-sharp) Version 7.0
- Database: Microsoft SQL 2016
- Web Server Software: Microsoft IIS 8.0
Minimum Browser Standards
Web applications must function and display properly in the browser versions that are listed on the Minimum Web Browser Requirements page.
Web applications must be thoroughly tested in all required browser versions.
Public facing web applications must be responsive. The application must resize correctly and be functional on mobile devices.
Tables for Layout
Tables used for the purpose of positioning content on a web page are not allowed. The only exception is the use of layout tables for .NET radio button and checkbox control lists. Refer to the Design Standards for the CDE Internet and Intranet Web sites or the External Web Page and Application Design Standards for more information.
Every web page in the application must have one or more links or control buttons that allow a user to navigate back and forth within the application without having to use the back button or other browser navigation functionality.
Validation of Form Input Fields
Form fields must be validated to ensure required fields are completed, numeric fields have numeric data, and data input is properly formatted (e.g., date, email address).
Exception Handling in Server-side Code
Code exceptions must be handled in a user-friendly manner by displaying a custom error page that does not display information such as database object names or source code.
ASP.NET applications must use <customErrors mode=”RemoteOnly”> in the web.config file so detailed errors are not displayed to the user.
The HTML Label Tag
The HTML Label tag must be used to associate a text description to a form field.
HTML Code Validation
Input Textbox Display Width
Textbox input controls in a web form must have properties set for display width and maximum input characters.
AJAX elements can be included as long as there is an equivalent non-AJAX alternative that produces the same results or provides the same functionality.
System/application names should name the system or describe the purpose of the system. They should not include reference to previous systems or terms related to the development of the system. For example, do not use terms in system titles, such as: Update, Redevelopment, Redesign, or Replacement. These are suitable for proof-of-concept and testing systems only. For example, don't title finished systems:
- Grant System Update
- Redesigned Demographic Reporting
- Replacement of the District Notification Tool
Items Specific to the Required CDE Development Environment (i.e., ASP.NET, Visual Basic/C#, SQL)
Post Compiled DLLs Only
ASP.Net code-behind files (e.g., .aspx.vb) must not be posted to a production web server. Instead the code-behind files must be compiled into DLL files using Visual Studio's Publish feature.
Microsoft SQL 2016 is required if a database is used. Additionally, the following requirements apply to all database-backed web applications.
- Use Microsoft SQL database objects (stored procedures, views, functions, etc.) when the application accesses the database to prevent any potential application security vulnerabilities.
- The application SQL logon must be granted the minimum rights to execute or select the necessary database objects to communicate with the database (i.e., execute on a specific stored procedure.)
- The application SQL logon cannot have direct access (read, insert, update, etc.) to database tables.
CDE Web Applications Only
Source files for web applications may contain mixed-case filenames. However, when linking or redirecting to files, specify lowercase filenames to ensure that all visible URLs use all lowercase characters.
System-wide CSS and Header/Footer Include Files
System-wide CSS, header/footer include, and image files should be used for web applications hosted on CDE web servers.
Last Modified Date
Use of the term “Last Modified” (as used on CDE web pages on CDE's primary website) is not allowed in CDE web applications. In a web application, the term does not clearly indicate what was modified (the application, the page, the data?). However, dates can be relevant if the web page displays date-sensitive information, or where the report date may be valuable to users. Examples of appropriate dates on web application pages include:
- Report run on November 18, 2008
- Data updated on November 18, 2008
Compiling the Web Application to be Updatable
When compiling an ASP.NET web application in Microsoft Visual Studio, the application must be compiled as updatable. To accomplish this, when publishing the web application, select the checkbox entitled "Allow this precompiled site to be updatable." This approach ensures that the application code will continue to reference the system-wide include, CSS, and image files on the hosting server.