In June we blogged about work we were doing to update our security guidelines for government digital services. Since then we’ve been busy working with teams across government to update services ready for the changes.
Thank you to the teams that have made the necessary updates to their services so we can get these changes in place.
All new government digital services must now:
- run on a secure HTTPS connections and use HTTP Strict Transport Security (HSTS)
- have published a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy
These new rules also apply to existing services using a `service.gov.uk` domain name.
Ensuring secure connections via HTTPS
Service.gov.uk is now included in the latest version of the HSTS preload list. As this list rolls out to different browsers through updates, it means users will only ever connect to government services via HTTPS.
Chrome will include service.gov.uk in their browser when they release version 55 in the next few weeks. Other modern browsers will follow as they release updates.
Publishing a DMARC policy
Services are now required to publish a DMARC policy to ensure domains cannot be used by email phishers and scammers.
To enforce this rule, we’ve applied a default `reject` policy to the `service.gov.uk` domain. This means that emails from unofficial sources will be rejected by external email providers.
This default policy also applies to other GDS domains including gov.uk, blog.gov.uk and register.gov.uk. Additionally, we’ve also been able to publish a `reject` policy for the old direct.gov.uk and businesslink.gov.uk domains which still host some legacy government services.
These updates are aimed at maintaining secure services and trust in digital government services. As our colleague Richard at the National Cyber Security Centre has said in his post today, these changes are already having a positive impact.
If you have any questions about the changes, you can contact us through our technical architecture community page on GOV.UK.