Skip to main content

Web products specification

All products for NHS Digital must meet minimum standards, and this sets out acceptance criteria for suppliers to follow. The standards are also written in plain English on our standards for web products page.

Security standards

All products developed for NHS Digital must meet the following security standards.

Topic Required Description
Use HTTPS must All sites must use HTTPS protocols
Use TLS 1.2 or higher must All sites must only use TLS 1.2 and/or TLS 1.3 security protocols. Lower standards must not be supported
Use secure ciphers must All TLS ciphers must be strong, and not appear on lists of weak ciphers
Anti-virus for user uploads must Where users can upload files to the service, it must run through an agreed server-side anti-virus package, suitably set up to detect threats for the expected types of file
Security headers must Sites must have headers for Strict Transport Security, Content Security Policy, X-Frame options, Cross Site Scripting, X-Content Type Options present and set at a suitable level
Desirable security headers should Sites should have security headers for a Referrer Policy, Feature Policy, and could have an Expect-CT header
Anti-virus for author uploads should Where staff can upload files to the service, it should run through an agreed server-side anti-virus package, suitably set up to detect threats for the expected types of file
Restrict file types should Where uploads are allowed, the file types should be restricted to those types of file expected only

Penetration testing

All products developed for NHS Digital must meet the following penetration testing standards.

Topic Required Description
Pentest by correct supplier must Services must have undergone testing by a CREST or CHECK approved pentest supplier
Supply pentest results must Suppliers must provide the results of the penetration test to NHS Digital, including remediation plan. They may redact data which exposes their intellectual property, where this does not impact the sharing of the results.
White box testing should All pentests should be static application security tests ("white box") where the penetration testers have access to the source code, unless there are strong reasons not to, which are agreed with NHS Digital
Test infrastructure should The infrastructure for any application should also have undergone pentesting in the six months prior to the application testing, and results should be provided to NHS Digital

Valid HTML

All products developed for NHS Digital must meet the following code standards.

Topic Required Description
Pass validation must 100% of web pages must pass validation on the W3C Nu Validator (validator.w3.org) with no errors
Remediate warnings must Where warnings (not errors) are identified by the W3C Nu Validator, a remediation plan must be in place to fix the issues within 3 months of being identified
No deprecated code must All code must comply with HTML5 standards, and will not contain deprecated code from a previous standard

Accessibility

All products developed for NHS Digital must meet the following accessiblity standards.

Topic Required Description
Meet AA standards must All services must meet the A and AA standards of the W3C WAI WCAG 2.1 guidance
Meet AAA standards should All services should meet the AAA standard of the W3C WAI WCAG 2.1 guidance
Use dyslexia friendly colour should All services should use dyslexia-friendly background colours specified in the NHS.UK style guide, or appropriate alternative meeting the AAA colour contrast of the WCAG 2.1 guidance
Skip links must All pages must have skip links in place
Labels and ARIA must All pages, forms, and elements must have suitable markup including ARIA labels as appropriate
Keyboard accessibility must All pages must be fully navigable using a keyboard or other input device only
Plain English must Content provided must meet a reading age of 8-12, as demonstrated by modal score calculated using Flesch-Kincaid Reading Ease, Flesch-Kincaid Grade level, Gunning-Fog, SMOG Index, Coleman Liau Index, and Automated Readability Index (ARI) algortihms
Javascript will not Pages will not use Javascript except as a progressive enhancement, and pages will be fully functional with Javascript disabled
No text in images will not Text will not be placed into image files, except where unavoidable, and where this is the case this should be placed as text within an SVG file

Using data appropriately

All products developed for NHS Digital must meet the following data security standards.

Topic Required Description
Personal data requires permission must Services must only collect or process personal data (including email address, IP address and more) where this is agreed with NHS Digital and has a full data privacy impact assessment completed
Permission for cookies will not Services will not place cookies which are not completely essential to the operation of the service, without gaining the explicit consent of the user. This includes analytics cookies.
No data sharing cookies will not Services will not place any data sharing cookies, which send information about the user or their usage to any third party, including advertising or retargeting networks.

Responsive design

All products developed for NHS Digital must meet the following standards for responsiveness.

Topic Required Description
Designs work across devices must All services must work on all mainstream devices, including mobile phones, tablets, and desktop computers, without the user needing to scroll sideways to view the contents
Design must respond must All pages must resize based on user actions, including window resizing, device orientation change, and other changes to the browser area
Last edited: 14 January 2020 2:16 pm