Web security standards

  • After the site is opened, with the exclusion of server issues, the Agency that has developed the site shall be responsible for ensuring that the site works flawlessly on the software side, taking action against software-related issues, and handling all areas (FTP, SQL, etc.) to which the Agency has access. The uptime rate must be at least 99.99 percent in combined total, including possible server problems.
  • Hosting and access information (FTP, SQL, etc.) shall be provided by Hosting Company to the Agency. The website shall be hosted on the “virtual server.”
  • Information concerning the capacity and operating system must be communicated and Hosting Company at least 15 days prior to the website going live, and it must be confirmed that such technical requirements can be met.
  • The Agency itself shall perform periodic backups of the website. Daily backups must be performed if a website update agreement exists. If there is no such agreement, backups must be performed monthly.
  • The address to be used for the testing of the website must be hosted on test.siteadi.com, that is, on Hosting Company’s servers. The website must be hosted on The Digital Agency’s virtual server pool throughout all stages, which include testing and going live.
  • Before the project launch, required features must be checked with the hosting side (Hosting Company).  The Agency shall bear all additional costs and damages, which includes the cost associated with the failure of the brand to go live on time, which are caused by the Agency’s decision to continue development on a different platform without obtaining prior approval.
  • Vulnerabilities identified and communicated by The Digital Agency IT Security must be fixed within the specified time: Following the communication of relevant security reports to the Agency, Critical Bugs must be completely fixed within one (1) week, Severe Bugs in two (2) weeks and Moderate Bugs in one (1) month.  If the Agency identifies any bug that cannot be fixed within the above-mentioned periods or that falls outside its responsibility, it must inform IT that the vulnerability or vulnerabilities cannot be fixed within two (2) weeks after the communication of the report.
  • The website or its source code must not contain any information concerning the platform and application.
  • Login sections must be performed in sections that are used by users to access the website. (It should not only be performed by the client).
  • Information contained in Flash and active script must be checked carefully. It must not contain any information such as username, password, etc.
  • Protective measures must be taken against the hacking methods of Cross Site Scripting (XSS), injection and brute-force; the website must be manually-checked against these during the testing stage.
  • During all stages of the development process, “BS ISO/IEC 18028-4:2005” standards must be adhered to in addition to the in-house standards of the Agency and those that would be required by  IT (This document can be retrieved through a Google search).
  • FTPS shall be used to communicate files, member information, source files, passwords, etc. among the brand, Agency and third parties; these shall be encrypted in at least 10 characters in a .rar file.  Passwords shall be submitted not by email, but by phone. Files containing more sensitive information shall be encrypted in a .rar file, burnt on a DVD and delivered via post or courier.
  • Personal and sensitive information such as credit card information, passwords, user logins, campaign participation information, etc. shall be transferred not through HTTP, but through HTTPS.
  • Directory listings on websites must be closed. Files must not be uploaded to servers that allow public access or servers that are indexed by Google but to those that allow access through an interface and a password.

Dimensions and common specs

  • E-bulletin dimensions:
    • 650×700 (It can be extended at the bottom if needed; however, width may not exceed 650.)
    • A large, distinct call-to-action button shall be on the first 650×650 area, in a different and contrasting color.
  • For testing, it would be greatly appreciated if it is sent in URL form as opposed to an attachment.
  • It needs to arrive, along with the source files (FLA, PSD), in ready-to-publish condition (SWF, GIF/JPG) at least two days prior to the publishing date.

 

  • Facebook Cover Photograph
    • Cover photographs must be 851 pixel in width and 315 pixel in length. If you upload a visual that is smaller than these dimensions, it will be enlarged to this dimension. You must download a visual with a pixel width of at least 399.
    • In order to obtain the best image quality and the fastest upload time for your page, upload an sRGB JPG file that is 851 pixel in width, 315 pixel in length and less than 100 kilobytes.
    • https://www.facebook.com/help?faq=125379114252045

 

    • 300×100, GIF or JPG without animation, maximum 20 kilobytes in size and the URL address it will redirect to when clicked on.

Flash standards

  • This includes all Flash usage on websites, social media applications and Digital projects.
  • In cases when the menu or navigation system contains Flash, there shall be text-based links to the main sections in the footer, which will be created in HTML.  The footer must be in HTML even if the site is built entirely on Flash.
  • In cases when there are pages with different addresses, there must be a site map that can be accessed from all of them, and the site map must include double click-deep links to these pages from the main page (Single click-depth: main parts; double click-depth: subsections or content pages.)
  • A parallel alternative HTML shall be prepared so that mobile and Flash-disabled (Google, blocked, etc.) users can access the text content within the Flash site. Title, Keyword, Description and file name (urun-adi.html) of the page shall contain the most important of the 8-10 keywords related to said page.
  • In cases when the page that opens directly after the domain name is entered needs to be Flash, it shall contain a link similar to the aforementioned Landing Page, of which the text links will be fixed at the bottom of the page.
  • Text links that complete the Flash shall open in a separate page, not as a popup window.
  • The URLs of the windows that open at the bottom pages of Flash must be different as well (Deeplinking).
  • Mouse scroll buttons must work in the scroll areas inside the text boxes in Flash pages. Mouseover must be able to scroll up and down without having to press on the scroll buttons.
  • It should not be necessary to click on the (X) button to close popup windows within Flash. Clicking on an area outside the window or pressing the ESC button should close the the active popup.
  • Google Analytics code must be embedded in appropriate places in different Flash pages/stages in order to accurately track user movements (watching videos, playing games, etc.) inside Flash pages, as well as to track Flash screenings and site viewing times.- https://developers.google.com/analytics/devguides/collection/other/flashTrackingIntro  
  • Flash must be coded in compliance with Google guidelines – http://support.google.com/webmasters/bin/answer.py?hl=en&answer=72746
  • Video players shall have sound settings as well as mute, full screen, start and stop buttons. HTML 5 must work for mobile devices and Flash version for desktop and other compatible PCs.

Web page standards

  • The page structure shall be developed compliant to modular work such as headers (the upper part that is displayed on all pages) and footers (the lower part that is displayed on all pages).
  • There must be areas on the main page to reach all updated content.
  • Importantly, all areas in the background, including the visuals, of the main page must be clickable.
  • As they get updated, news must be visible on the main page for a certain period of time.
  • In the upper left-hand corner of the header, there must be a logo that directs to the main page.
  • There must be a search button, a Header (Preferably on the upper right-hand side), a “SEARCH” button and and a text input field.
  • There must be a left column login area, right column registration areas and a membership page that is made up of two columns on a single page, which are accessible via a text connection in the Header and only through a text connection in the Footer.
  • Membership access must be available through Facebook Connect, and some information that is required for the membership form should be able to be pulled from Facebook Connect.
  • All pages must have their own unique meta data; original Keyword (2-4 words), Description (2-3 sentences) and Title (2-5 words) must be entered; meta data of all pages must be the same, and this information must be entered by the Agency depending on the content and may be updated by the brand if necessary.
  • All pages shall have unique URLs. Text should not be entered in content pages using technologies such as Javascript, AJAX or Frame; however, they may be used in personal pages such as membership or profile pages. (Search engines are not able to see this type of content.)
  • Alternative text must be entered for any visuals on the pages (For the visually impaired and for search engines).
  • The user site map must be accessible via a text link with an icon in the Header and only through a text link in the Footer.
  • The contact page, which should be able to be reached from the Header main menu and from the Footer, must contain the company name, address, telephone number, central system integrated contact form and Google Maps coordinates (company logo and address must be shown on the map by using GMap API v3), as well as a diagram if there is one. Full email addresses and/or peoples’ names should not be included.
  • The Terms of Use section shall include an Article stating, “The Digital Agency (The Digital Agency or the brand) reserves the right to change the Terms of Use at any time and in any manner.”  
  • The related Google Analytics code obtained shall be used. The Agency should not develop and use its own GA code. The latest version of the code must be obtained to be used according to the following information http://www.google.com.tr/support/googleanalytics/bin/answer.py?answer=174090  
  • Furthermore, using Google Analytics, it must be possible to track the number of video views, MP3 or files downloaded, and/or forms completed.
  • The video player shall have features such as full screen, sound on/off, and seek bar.
  • Also, it should be possible to share the videos on the website through Facebook in video format.  Facebook users shall be able to watch the video content on the website without leaving Facebook. (Domain may have to be authenticated by Facebook)

Website standards

  • HTML 5 shall be used to develop sites.
  • They shall be light, compatible and flexible with sound coding that allows for fast uploading.
  • They shall have a contact section that operates with the The Digital Agency central system and with help from the web service API.
  • In cases of obtaining memberships from the site, they shall be integrated with the The Digital Agency Central Membership API system.
  • They shall have a search function that includes the entire content.
  • They shall have Search Engine-Friendly URLs that contain Turkish keywords but do not contain (?,=,aspx..) for search engine optimization.
  • Javascript shall be used sparingly and Flash shall not be used unless absolutely necessary.
  • The sites shall include a user that encompasses two-click deep content (HTML), which can be read by search engines, as well as newly entered news. The root folder of the site must have sitemap.xml, an error-free and dynamic Google (XML) site map that is obtained from Google Webmaster.
  • The root folder of the sites shall include the robots.txt file, which provides a link to the site map.
  • Flash shall not be used for design and content. In cases when it is used when necessary with special approval from Digital, alternative text and pages that can be seen by search engines must also be added, and they must comply with the Digital Standards articles regarding “Flash Pages.”
  • “Alternate Text” shall be entered for all visuals; “Mouse Over” effects shall be used effectively on clickable areas.
  • There shall be an updatable section such as News, Announcements or similar.
  • CSS-using tags such as H1 or H2 shall be used appropriately in the text. CSS usage must not cause an error at the http://jigsaw.w3.org/css-validator address.
  • The sites shall be compatible with the http://www.w3.org standards, as well as with all browsers, operating systems and their versions (IE, Firefox, Opera, Safari, Linux, Mac…). All pages of the sites shall be error-free at the http://validator.w3.org address.
  • At the www.browsershots.org address, the site shall look exactly the same on the platforms IE, FF, O, Win, Mac and Linux.
  • Addresses written without www in the domain name shall be opened on the condition of directing to a www address.
  • In the case of an unused page on the site, a “Not Found” page shall be displayed, which brings up a 404 header, and includes a site map and search function in its content.
  • RSS 2.0 support shall be available for all updates (News, products, etc.). An RSS connection shall be accessible via an icon at the bottom right-hand side as a Footer.
  • Favicon shall be created from the company/brand logo.
  • The content/code rate of the site shall not be less than 40 percent.
  • Absolutely no pop-ups are allowed on the site; pop-up messages (warning messages with a clickable button) shall be removed.
  • In-site connections shall open in the same window, while connections to external sites shall be opened in a new window.
  • It shall be compatible with Google Webmaster Guidelines (See: Google Webmaster Central – http://support.google.com/webmasters/bin/answer.py?hl=en&answer=35769)
  • It shall work smoothly with extensions such as non-optimized flashes on low-performance computers.

Retweet standards

  • Each day, one positive consumer tweet shall be retweeted from the brand’s Twitter account upon its written approval. Requirements:
    • It has to be a positive comment.
    • It has be related to the brand, product or advertising.
    • It has to mention the brand, or the tweet has to include the brand name/visual/hashtag.
    • The profile avatar, biography and latest tweets of the consumer that will be retweeted must be free of vulgarity, violence, spam, advertising, insult, aggression or defamation, which may damage the brand.
    • In the event of not being able to find current tweets, old tweets may be retweeted, provided that they are not older than one month and that the hashtag at the bottom is used.
    • In cases when there are hashtags within the user’s tweet, the hashtag is no longer in the trending topic list and/or was created by a competitive brand, these tweets should not be retweeted.
    • It should not contain brand names or visuals that do not belong to The Digital Agency/The Digital Agency or belong to any other competitor.
    • Rather than being in the form of a mention, tweets will be retweeted through a standard retweet that directly includes the avatar of the consumer.
  • Other positive consumer tweets, which comply with the aforementioned standards but have not been published, must be added to the favorites of the official Twitter account of the brand.
  • An approval email must be sent to the brand along with the link and the screen shot. Approvals may also be obtained weekly. For instance, in the event of receiving five tweet approvals, one tweet can be retweeted each day.

Twitter content standards

  • Participation Rules shall be prepared for all Hashtag, retweet and similar Twitter campaigns by using the Digital Standards template as a base. Preferably, it should be shared on Facebook as a note and the link should be provided on the campaign announcement tweets on Twitter.
  • For Twitter campaigns such as retweets, prize winners shall be examined carefully to avoid giving prizes to campaign-hunting accounts that are fake or troll, or that do not contain any personal entries. Real followers and fans of the brand shall be given priority instead.

 

  • If the tweet will begin with a mention, in order for more people to view it without getting stuck on the (no replies) filter, a period may be used as the first character of the tweet and the mention can begin after the second character.
  • When mirroring Facebook contents to Twitter, they must be changed to retweet from “like,” or to mention/reply from comment and so on.
  • When sending tweets, links and photographs must be sent by checking if they open correctly on mobile applications as well.
  • Links shall be sent by using URL abbreviation services such as bit.ly, which allow counting the number of clicks.  The number of clicks must be reported to the brand and Digital monthly.
  • Proposed text in the content plan or coming from the brand/Digital must be rechecked for orthographic or spelling mistakes prior to entering.

Contact form for the web page

  • Name and Last Name (Controls such as combined, single field, at least five characters, etc.) – COMPULSORY.
  • Email (Controls such as whether a valid email is entered, whether compulsory, non-deletable @ sign is entered, or whether there is a field on both sides of the @ sign, or whether there is at least one . character on the right field) – COMPULSORY.
  • Telephone (A three-digit field for the area code + a separate seven-digit field for the number, no letter input is allowed) – COMPULSORY.
  • Message (Maximum 200 characters, warning message is displayed when about to exceed or when left empty) – COMPULSORY.
  • City (Pulldown menu; Istanbul Anatolian Side, Istanbul European Side, Ankara, Izmir to be first, then alphabetical list) – COMPULSORY.
  • District (This will display the appropriate districts when clicked on) optional.
  • Country (Turkey listed first, then alphabetical list) optional.
  • Address Type (Pulldown menu: home, office) and address field (Maximum 200 characters) optional
  • Date of Birth (Only year: pull down menu starting from 1940 until 2005, checks for errors such as February 30, etc.) optional.
  • A different, distinctive colored Send button (clicking on Enter in the fields above will be considered as clicking on default) – COMPULSORY.

Facebook campaign participation form

  • Name and Last Name (Controls such as combined, single field, at least five characters, etc.) shall be automatically pulled from Facebook Connect, this shall also be correctable if needed – COMPULSORY.
  • Date of Birth (Only year, pull down menu starting from 1940 until 2005). This shall be automatically pulled from Facebook Connect, this shall also be correctable if needed – COMPULSORY.
  • Email (Controls such as whether a valid email is entered, whether compulsory, non-deletable @ sign is entered, or whether there is a field on both sides of the @ sign, or whether there is at least one . character in the right field.) It shall be automatically pulled from Facebook Connect, it shall also be correctable if needed – COMPULSORY.
  • Telephone (A three-digit field for the area code + a separate seven-digit field for the number, no letter input is allowed) – COMPULSORY.
  • Address (Maximum 200 characters). When the field is empty, a tooltip warning must be displayed with the instruction: “Please remember to enter the City and District in the Address field.” This should disappear when clicked on. COMPULSORY in (National Lottery Administration) MPI campaigns and optional in other projects.

Form standards

  • Communications on all websites and on Facebook pages/applications, as well as member forms must be integrated with the Central API.
  • When communicating with API, Central Membership or Central Communication errors shall be observed; these errors shall be returned to the user, and unsuccessful/incomplete entries shall be avoided. If Central Communication does not accept the format, the record should not be entered into to the local database and the error message shall be sent to the user.
  • Necessary measures shall be taken in order to prevent attempts such as inserting damaging codes into the fields, hacking and so on.
  • AJAX technology shall be used in the form; when moving to another field, it must check the previous field for related criteria; in case of an error, it must immediately warn with a colored error warning right next to the field; when the user clicks on the button for the first time, all errors must already be corrected on the form by AJAX and it must be ready to move on to the next screen.
  • Compulsory fields are the common areas on all projects and websites, while information will be provided according to the project for optional fields.
  • Some of the controls that will be performed before communicating with API are stated within the parenthesis.
  • When entering into any page containing a form, the cursor shall blink on the first field that needs to be filled in. The user shall not have to click the field to start filling out the form; he/she should be able to begin typing right away.
  • When filling out forms within Facebook, all obtainable data (name, email, etc.) shall be pre-populated; the user should just be able to check them without having to re-enter them.
  • A Captcha application must be used on the communication and membership forms on the web page.