Common web page requirements

This is a list of implied requirements recommended for all web pages.

  • Page should render properly in all supported browsers. Identical is not required, but equivalent is.
  • Client side code (javascript) must execute properly in all supported browsers.
  • Site visitor must be alerted if they attempt to navigate away from the page without saving their changes, or if the session timed out and their changes have already been lost.
  • If AJAX is used, authentication and access control must be applied to all requests. Client must handle server responses to these conditions gracefully.
  • Client must validate the data fully before submitting it to the server. Client should alert user during entry if data is invalid. Think dojo.
  • Server must perform appropriate escaping on all incoming data to avoid SQL injection and commandline attacks. Server should validate data with the same criteria as the client to limit the possibility of modified form data.
  • User passwords should never be sent to the browser. Password recovery should be performed by generating a new password and emailing it to the account holder. User email addresses must be unique to support this.
  • Options which are unavailable should be displayed differently than those that are available, ideally they should not be displayed at all. Inputs which cannot be modified should be displayed in such a way that the user understands the information cannot be changed.
  • Layout should be managed primarily with CSS.
  • Colors should be specified in a separate CSS file to allow the color scheme to change quickly.
  • The majority of the layout should use divs, with tables used where appropriate.
  • Only those files required to display the page should be delivered with it. Pages with complex CSS requirements should be supported with dedicated CSS files which are only loaded with that page. The same is true for javascript. Those files should be cached at the client.
  • Care must be taken to ensure configuration data, particularly access information such as database name, username, and password cannot be displayed through a browser or visible to unauthorized users.