• Architectural Standards
• Web Development
• Application Development
• Developer Resources

ASP.NET Coding Standards

General

No.	Standard	Source
1.	AJAX programming, controls, and frameworks are not to be used	1
2.	Web site is partitioned into restricted areas (protected using SSL) and public areas	2

Back to top

Presentation Layer

No.	Standard	Source
3.	Code-behind files are used rather than inline server-side script blocks	1
4.	Code-behind files are not used as a container for Business Logic and/or Data Access Logic	2
5.	Master Pages are used as a means to create a consistent layout for web applications	1
6.	Commonly used page elements are separated into Web User Controls and/or Web Custom Controls	2
7.	Web site is fully-functional when JavaScript is disabled in the browser	1

Back to top

Input Validation

No.	Standard	Source
8.	Server-side validation is performed on all user inputs from sources such as HTML controls, Query String, and Cookies	1
9.	Input form field values are retained when form is redisplayed to the user after input validation fails	1

Back to top

Data Access

No.	Standard	Source
10.	Data paging is used for unbounded or long lists of data	1

Back to top

Caching

No.	Standard	Source
11.	Data that is frequently used but changes infrequently is cached using ASP.NET Caching	2
12.	Pooled resources (e.g. Database connections) are not cached	1
13.	Sensitive data is not cached using ASP.NET caching or Application state	1

Back to top

State Management

No.	Standard	Source
14.	Sensitive information such as passwords and connection strings are not stored in any client-side state	1
15.	Web site is fully-functional when cookies are disabled in the browser	1
16.	Session State is disabled for web applications and only enabled for individual pages that require it	2
17.	View State is disabled for web applications and only enabled for individual controls that require it	2
18.	View State is not enabled for data bound controls such as drop-down lists, check box lists, grid views, repeaters, etc	2
19.	The DataGrid server control is not used	1
20.	Objects are not stored in the session state	2
21.	Application state is only used for sharing application-wide read-only data for all clients	2

Back to top

Exception Handling

No.	Standard	Source
22.	HTTP error codes are handled using custom error reporting pages	2
23.	Unhandled exceptions are caught using an application-level global error handler	1

Back to top

Configuration

No.	Standard	Source
24.	Configurable application settings are stored in the web application's Web.config file	1
25.	Request validation is enabled to prevent scripting attacks	1
26.	Page output buffering is enabled	2
27.	ASP.NET tracing and debugging are disabled	1
28.	Database connection string should be encrypted	1

Back to top

Contact Us
Created on Wednesday, July 16, 2008 | Page Last Updated: Monday, July 02, 2012
© State of Victoria (Department of Education and Early Childhood Development) 2008 | Disclaimer | Privacy| Accessibility