Web Application Security Standards

Visit the CDE Web Standards to determine if these standards apply to a specific Web product that is being developed and to determine which other standards might apply.

Application-level Security

Web applications will be secured from "SQL Injection Attacks" where the attacker enters SQL commands into Web form input fields or URL querystrings to try to manipulate the SQL statement being sent to and from the database. The following methods to avoid SQL injection attacks should be used:
- Use of parameterized queries or stored procedures to access a database as opposed to using string concatenation
- Limit the amount of characters in Web form input fields and URL querystrings to a proper amount
- Validate text input and URL querystrings for improper characters (e.g. apostrophe, dash)
- Do not display errors to the user that contain information about the database or actual source code
ASP.Net Web applications must be secured from "Cross Site Scripting" (XSS) attacks. To accomplish this, developers must ensure that the ASP.Net "validateRequest" Page directive is set to True (the default setting) so that users of the application are prevented from entering HTML or JavaScript code into Web forms. Request Validation - Preventing Script Attacks is a white paper that provides excellent information on this issue.

Data Transmission Security

When confidential or sensitive data is passed between the end-user and the Web server, the HTTPS (SSL over HTTP) protocol will be used. SSL provides server authentication, data encryption ("over the wire"), and data transmission integrity. The SSL certificate used on the Web server will need to be "trusted" by the Web browsers listed on the CDE’s Minimum Web Browser Requirement Web page.

Database Security

Web applications should use minimum privileges to access database objects (i.e. tables, views, stored procedures). For example, if the Web application needs read-only access to a specific database table, the database permissions should be set accordingly as opposed to giving the Web application "admin or owner" rights to the entire database.
Individual database fields storing confidential or sensitive data (e.g. passwords, social security number) must be stored using encryption techniques.

Password Requirements (updated 15-Aug-2022)

Passwords whether created by application developers, administrators, or users must meet or be required through validation to meet all of the following parameters for all modern hosts, devices, and non-priviledged accounts:

Minimum length: No less than 15 characters
Entropy: Upper, lower, numeric, and special character [required] enforcement
Lifetime: No minimum password lifetime
Account lockout attempts:
- After the 5th invalid attempt (Azure, AWS, External Directory Service)
- After the 10th invalid attempt (On Premises Directory Services or Local host)
Account lockout period: 120 minutes

Questions: Web Services Office | tsdweb@cde.ca.gov

Last Reviewed: Monday, August 15, 2022

Trending in Department Information

Recently Posted in Department Information

State Leadership Accountability Act 2023 (added 25-Apr-2024)
The State Leadership Accountability Act (SLAA) requires state agencies to maintain effective systems of internal control and to biennially report on the adequacy of the agency’s systems of internal control.
Assistant Field Representative (School Admin) (added 15-Apr-2024)
Examination Bulletin for the Assistant Field Representative, School Administration in the California Department of Education.
Field Representative, School Admin (Specialist) (added 15-Apr-2024)
Examination Bulletin for the Field Representative, School Administration (Specialist) in the California Department of Education.
Survey Participant or Survey Quota Met (added 12-Mar-2024)
General information page for surveys where respondents have exceeded at participant or quota limit.