Below is a condensed but complete extraction of all required cases from page 31 to page 96 of GIGW 3.0, translated into a practical, implementation-ready documentation and checklist.
This is not a rewrite of the PDF. It is a developer + architect focused compliance document that you can directly use during design, development, testing, audits, and STQC/CERT-In readiness.
Source: GIGW 3.0 – Pages 31–96 (Guidelines: Quality, Accessibility, Cybersecurity, Lifecycle Management)
(Derived from Pages 31–96)
Applies to:
- Government Web Apps
- Government Mobile Apps
- Backend APIs supporting them
Mapped to:
- React Native + TypeScript + Jotai
- Vite React + TypeScript + Jotai
- Node.js + Express + MongoDB + Redis + MinIO + ClickHouse
- JWT Authentication
- Zod Validation
- Google Maps API (Web)
- Government ownership must be clearly visible
- Official emblem/logo must be used correctly
- Ownership visible on every major entry page
- gov.in / nic.in domain usage
- Display Government Emblem / Official Logo on home screen
- Logo has
alt text(web) /accessibilityLabel(RN) - Logo ratio and color preserved
- Ownership footer/header present on all pages
- Last updated / reviewed date visible
- gov.in / nic.in domain enforced (web)
- Central config for organization identity
- Ownership metadata injected into responses if required
- Same IA, navigation terminology, layout across all apps
- Reusable templates
- Central layout component
- Shared navigation schema
- Common page structure (Header, Content, Footer)
- Consistent route naming
- Jotai atoms for global UI state
- Central navigation stack
- Consistent screen titles
- Shared UI components
- Platform-agnostic UX patterns
- Org name
- Logo/emblem
- About
- Services
- Contact Us
- Feedback
- National Portal link
- Terms & Conditions
- Search / Sitemap
- Page title
- Ownership
- Contact link
- Navigation context
- About Us page exists
- Contact Us page exists
- Feedback form exists
- Terms & Conditions exists
- Privacy Policy exists
- Sitemap / Search exists
- National Portal opens in new window (web)
- Accurate, updated, audience-appropriate content
- Archival of expired content
- Download metadata visibility
- CMS-like content schema
-
validFrom,validTillfields - Auto archival cron
- File metadata stored (size, format, instructions)
- Virus scan before MinIO upload
- Display file size, type, usage
- Show expiry warnings
- Archive section UI
- Proper page titles
- Language attributes
- Metadata
- A4 print compatibility
-
<title>set per page -
<html lang="..."> - Meta description & keywords
- Print stylesheet
- CSS-only layout (no table layouts)
WCAG 2.1 – Level AA compliance is mandatory
- Perceivable
- Operable
- Understandable
- Robust
- Visual impairment
- Hearing impairment
- Cognitive disability
- Seizures due to blinking
- Keyboard inaccessibility
- Language barriers
- Semantic HTML
- Proper heading order
- Alt text for images
- ARIA roles where required
- Keyboard navigation works
- Focus indicators visible
- No fast blinking content
- Forms have labels
- Error messages are descriptive
- Language switch supported (where applicable)
-
accessible={true}used -
accessibilityLabelprovided - Touch targets ≥ 48dp
- Screen reader tested (TalkBack / VoiceOver)
- Time-based actions have pause/extend
- No gesture-only interactions
- Labels always visible
- Instructions provided
- Error feedback accessible
- Zod validation messages user-friendly
- No placeholder-only labels
Aligned with:
- OWASP Top 10
- ISO 27001
- ASVS
- CERT-In advisories
- Secure authentication
- Least privilege
- Session protection
- JWT short-lived access tokens
- Refresh tokens rotated
- Role-based access control
- Token revocation supported
- Redis for session/token blacklisting
- Zod validation at API boundary
- No trust in client data
- MongoDB queries sanitized
- No dynamic query building
- ClickHouse queries parameterized
- Presigned URLs only
- MIME type validation
- File size limits
- Virus scan
- Private buckets
- Time-bound URLs
- HTTPS enforced
- HSTS enabled
- Secure cookies
- Encryption at rest
- Sensitive fields masked
- XSS (stored, reflected, DOM)
- CSRF protection
- Broken auth
- Insecure deserialization
- Security misconfiguration
- Component vulnerability scanning
- Rate limiting
- Brute force prevention
- Audit logs
- Auth logs
- File access logs
- Failed login tracking
- Alerting (abnormal patterns)
- CERT-In advisory tracking
- Web Information Manager identified
- Clear ownership of content
- Change management process
- Approval workflows
- Regular dependency updates
- Vulnerability scanning
- Performance monitoring
- Broken link checks
- Content freshness review
- MongoDB backups
- MinIO backups
- Redis persistence strategy
- DR plan documented
- Restore drills performed
- CDN where applicable
- API rate limiting
- Graceful degradation
- Slow network support
- Mobile offline handling (where relevant)
| Area | Must Exist |
|---|---|
| Identity | Logo, Ownership, gov.in |
| UX | Consistency, IA |
| Content | About, Contact, Feedback |
| Accessibility | WCAG 2.1 AA |
| Security | OWASP + CERT-In |
| Lifecycle | Archival, Updates |
| Logging | Audit trails |
| Files | Secure upload |
| APIs | Validated, Authenticated |
- Design phase → Architecture & UX decisions
- Development → Daily checklist
- Testing → Manual + automated audits
- Security audit → CERT-In readiness
- STQC audit → CQW compliance