S 2.486 Documentation on the architecture of web applications

Initiation responsibility: Persons responsible for individual applications, Head of IT

Implementation responsibility: Administrator, Developer

It is necessary to understand the software architecture of the web application in order maintain, develop and extend it efficiently and without errors. In addition to the system-specific documentation (see S 2.25 Documentation of the system configuration, S 2.31 Documentation on authorised users and rights profiles and S 2.34 Documentation on changes made to an existing IT system), several particularities must be taken into consideration for the documentation of web applications.

The documentation must take into account all components of the web application. In this respect, at least the following aspects should be covered by the specific documentation of the web application:

• All dependencies (for example, dependencies with frameworks, libraries, operating systems, hardware) and interfaces (for example background systems) of the web application should be documented.
• Components which are required for operation, but are not components of the web application must be marked and identified as such (for example, background systems such as a database).
• It must be clear from the documentation which components implement security mechanisms. In the following, the security functions of web applications to be taken into account as minimum requirements are listed:
• User management,
• Role and authorisation concept,
• Authentication,
• Authorisation,
• Session management,
• Logging and
• Transport security.
• The integration of the web application into an existing network infrastructure, if any, must be contained in the documentation. In this respect, safeguard S 5.169 System architecture of a web application must be taken into account.

The documentation should be updated and adapted during the course of the project to ensure that it can already be used during the development activity and that the decisions taken are documented.

Review questions:

• Is the software architecture of the web application documented?
• Are all components and dependencies of the web application documented?
• Are components which are required for operation, but are not components of the web application marked and identified as such?
• Is an assignment of implemented security mechanisms to the components of the web application documented?
• Does the documentation take the integration of the web application into an existing network infrastructure into account?
• Is the architecture of a web application already documented during the development activity?