Web application hosting guidance

Producers are required to develop sites and databases that are compliant with Progressive Web Application (PWA) standards and best practices. A checklist of these standards can be found at https://developers.google.com/web/progressive-web-apps/checklist. Specifications for sites and databases to be hosted by PBS can be found below

Infrastructure

  • Environment requirements e.g. Dev, QA, Staging etc.
  • Containerized applications preferred i.e. Docker
  • Preferred CMS - CraftCMS; WordPress is supported
  • Standard non-PHP env is NGINX + uWSGI
  • Set cache control headers
  • Estimated initial/current storage needs
  • Estimated rate of storage growth
  • DB requirements? – MySQL or Postgress SQL preferred 
  • CI/CD - Jenkins pipeline YAML; Bitbucket/GitHub webhook for DEV environment;
  • ApacheBench + lighthouse performance testing

Content

CMS content should be managed via Git plugin where possible, e.g., https://wppusher.com/

Otherwise, utilize a migration plugin, e.g., https://straightupcraft.com/craft-plugins/migration-manager or https://wordpress.org/plugins/all-in-one-wp-migration/

Export files must be delivered via AWS S3

XML Sitemap + Robots.txt

Estimated lifespan of site/app before first refresh

Estimated change/deployment frequency

Management

Third party development or support agreement

Source code repository – GitHub preferred. PBS can provide Bitbucket access.

Security

  • CSP Header
  • SSH via private key
  • Secrets must NOT be stored in repo/code
  • List of initial dependencies, specify version
  • Source code must NOT contain any high risk vulnerabilities listed in NVD

Support for Amazon EC2 Dedicated Hosting

In an effort to provide PBS producers greater flexibility with innovation, as well as greater freedom to tackle emerging issues, PBS is providing select producers with dedicated compute and storage resources. These resources provide content producers greater technological freedom to innovate and experiment with new technologies, while introducing isolation between producer sites, dramatically reducing the impact of adverse events.

With these dedicated resources, producers now have nearly complete control over their environment and the means to address most issues autonomously. Provided resources are for the exclusive use of the producer to which access is granted. 

Technical support is provided by PBS but is limited to the following:

  • Operational environment. PBS provides an operational computing environment to third party developers and producers for PBS sponsored websites and applications. This operational computing environment is based on the LAMP (linux + apache + mysql + php/python/perl) technology stack. PBS provides Level 1 technical support necessary to insure that the services are "available" for use and as designed. 
  • PBS-sanctioned widgets, modules and applications. PBS has developed a suite of applications, widgets, modules, and scripts that may (and in some cases must) be used by third party developers. PBS provides Level 1 technical support regarding the use of these components.
  • PBS network services. PBS provides network access (e.g. AWS S3 and SSH) to development and  staging, computing resources where third party applications may reside.

PBS does not provide technical support for issues regarding the use, development, application, tuning, or customization of development and scripting languages, application frameworks, or applications developed by third parties and/or the open source community. PBS requires third party developers to be self-sufficient in these areas.

Security

PBS views web application security as a joint responsibility. In order to ensure the highest level of Confidentiality, Integrity and Availability (CIA), the following measures will be enforced wherever possible:

  1. Applications or dependencies containing known HIGH vulnerabilities will NOT be deployed and IF discovered post deployment may be taken offline based on severity
  2. AWS and/or SSH keys will be rotated periodically access may be revoked if suspicious activity is detected
  3. Sites will be monitored by AWS Guardduty for suspicious activity

Content Management Systems

All Content Management System plans must be reviewed and approved by your program manager at the start of your project. File a support ticket with any questions.

Due to repeated security and performance issues with high-traffic sites, Drupal is not supported.

IP Address

Sites may not assume that their IP addresses will not change. In other words, your site must still function properly even if the IP address changes.

Domain Name

Sites should not assume that their domain names are fixed; if the domain name changes, the site should still function.

Immutable AWS-hosted sites

Site should be immutable on Amazon. For legacy sites on server infrastructure, PBS should be able to back up the producers application directory and database, create a new machine, and the site should come up without any human intervention. All customizations must be automated using the boot.sh file which is run once upon server provisioning. Apart from container images, sites should be immutable via IAC (Terraform of CloudFormation) and auto-scale without user disruption.

Content Distribution Network (CDN)

All third-party developers and producers are expected to utilize the PBS Content Delivery Network, which is currently hosted by AWS CloudFront.

Full use of the CDN is a launch requirement for the following media types:

  • All media files including, but not limited to, Flash, video, GIF, JPEG, etc.
  • All javascript files greater than 10k (except those which are hosted by third parties such as Google or Yahoo).
  • All CSS files greater than 10k.

Key-Value Store

All database-intensive sites must implement object-based and/or page level server side caching as necessary in order to maintain high performance.

  • Use of memcached or redis is highly recommended for all “dynamic” pages that rely upon an internal database or third-party services for real time data.  
  • PBS highly recommends the use of memcached or redis for all server-side object and page level caching. 

Performance and Load Testing

In order to maintain the highest level of user experience, PBS requires that all applications and sites developed by third-party developers for hosting on PBS's AWS hosting service undergo (and pass) performance and load testing.

Performing this testing is the sole responsibility of the third-party producer or developer. The purpose of this load testing is to demonstrate that the application has been engineered to handle the high levels of traffic that the site may experience at launch.

  • Sites and applications must demonstrate that they are capable of achieving 50 requests per second from 10 simulated users.
  • Test results are a production readiness deliverable. Upon completion of load testing, producers are required to submit a copy of the load testing results to PBS for review.
  • Robots.txt
  • The maximum allowable latency for the loading of any single page is five (5) seconds.

HTML Specifications

In order to reach the most users, sites should be developed using HTML specification 4.0 and cascading style sheet specification CSS1. Other HTML specifications may be used as long as the principals of Progressive Enhancement/Graceful Degradation are applied so that there is always a compelling and usable experience available for the site user. Compliance with The World Wide Web Consortium (W3C) guidelines and recommendations is required. HTML standards must be compliant for the doc-type being declared. If not, PBS reserves the right to not publish or to limit the site audience.

Supported Web Browsers

Sites must be developed to support PBS-approved web browsers across platforms. Although it is not assumed that all users will have the identical experiences when using different browsers, it is vital that every user be able to experience the same content and as much visual richness and interactivity as possible.

Supported desktop browsersSupported mobile devices
  • Chrome **
  • Internet Explorer 9+
  • Firefox **
  • Safari **
  • Opera ** 
  • Apple iOS
  • Android 2.3
  • Android 4 **

** Latest, or most widely used version http://gs.statcounter.com/

Google Analytics Tagging

Any national producer website on the pbs,org domain should have Google Tag Manager (GTM) across all webpages. Please view all information about implementation and further details about custom event tracking here: https://docs.pbs.org/display/AN/Implementation+of+Google+Tag+Manager+for+PBS.org+Sites 

Registration and Authentication

Any project wishing to provide registration or authentication services to its viewers must utilize PBS Account.

Additionally, by utilizing PBS Account you agree to abide by the Privacy Policy and Terms of Use.

Plug-in Introductory Text

When a plug-in is required to view site content, the teaser must be accompanied by introduction text that:

  • Explains what the feature is
  • Lists the file size of the feature
  • Provides a link to the plug-in download page

Cookies

Use of any cookies is subject to the oversight of the PBS technical staff and cookies that extend beyond a user session must be developed in partnership with PBS technical staff.

As a rule, always scope your cookies with the most specific path component you can. This reduces the overhead of the number of cookies that need to be sent by the client on each browser request. Where possible, cookies must be set in JavaScript instead of CGI script. Always prefix your cookies with a unique tag (such as programname.nameofcookie) that can identify your application in order help to avoid conflict on the server.

Airdate Code on PBS.org

To request Airdates code for a national program website, please contact your program manager or submit a ticket via the digital support portal