Department of Education and Early Childhood Development (DEECD)
Application Development
Application Standards
Enterprise Library Application Blocks
Application Unit Testing

ASP.NET Coding Standards

General

No. Standard Source
1. AJAX programming, controls, and frameworks are not to be used 1
2. Web site is partitioned into restricted areas (protected using SSL) and public areas 2

Back to top

Presentation Layer

No. Standard Source
3. Code-behind files are used rather than inline server-side script blocks 1
4. Code-behind files are not used as a container for Business Logic and/or Data Access Logic 2
5. Master Pages are used as a means to create a consistent layout for web applications 1
6. Commonly used page elements are separated into Web User Controls and/or Web Custom Controls 2
7. Web site is fully-functional when JavaScript is disabled in the browser 1

Back to top

Input Validation

No. Standard Source
8. Server-side validation is performed on all user inputs from sources such as HTML controls, Query String, and Cookies 1
9. Input form field values are retained when form is redisplayed to the user after input validation fails 1

Back to top

Data Access

No. Standard Source
10. Data paging is used for unbounded or long lists of data 1

Back to top

Caching

No. Standard Source
11. Data that is frequently used but changes infrequently is cached using ASP.NET Caching 2
12. Pooled resources (e.g. Database connections) are not cached 1
13. Sensitive data is not cached using ASP.NET caching or Application state 1

Back to top

State Management

No. Standard Source
14. Sensitive information such as passwords and connection strings are not stored in any client-side state 1
15. Web site is fully-functional when cookies are disabled in the browser 1
16. Session State is disabled for web applications and only enabled for individual pages that require it 2
17. View State is disabled for web applications and only enabled for individual controls that require it 2
18. View State is not enabled for data bound controls such as drop-down lists, check box lists, grid views, repeaters, etc 2
19. The DataGrid server control is not used 1
20. Objects are not stored in the session state 2
21. Application state is only used for sharing application-wide read-only data for all clients 2

Back to top

Exception Handling

No. Standard Source
22. HTTP error codes are handled using custom error reporting pages 2
23. Unhandled exceptions are caught using an application-level global error handler 1

Back to top

Configuration

No. Standard Source
24. Configurable application settings are stored in the web application's Web.config file 1
25. Request validation is enabled to prevent scripting attacks 1
26. Page output buffering is enabled 2
27. ASP.NET tracing and debugging are disabled 1
28. Database connection string should be encrypted 1

Back to top