GDS: Updating our security guidelines for digital services

Originally published by Dafydd Vaughan on 28 June 2016

This article was originally published on the GDS Technology blog and has now been re-published here. You can read the original article online.

Back in 2012, GDS released some security guidelines for government services. Although we’re aware individual services have continually upgraded their own security practices, we’re now updating the guidelines to improve how we secure government services overall.

We’ll be making 2 important updates to the guidelines that will take effect from 1 October 2016. If you run a service on, you’ll need to be aware of these.

What is changing

From the beginning of October, your service will need to make sure it:

  • runs on secure HTTPS connections and uses HSTS
  • has published a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy

If you’re a service manager, you’ll need to speak with your technical team to make sure your service is fully compliant by the October deadline.

Ensuring secure connections

The standards require all government services to run on secure connections, known as ‘HTTPS’. This type of connection makes sure user data is encrypted and stays secure while users interact with your service.

As well as enforcing the use of HTTPS, we now mandate that service uses HTTP Strict Transport Security (HSTS). This setting tells modern browsers your service will only use secure connections and information should be sent encrypted.

In September, we plan to submit the domain to the browser manufacturers’ HSTS preload list. This means that all modern browsers will only ever connect to government services via HTTPS. If you service is only available over unsecured connections, it will stop working in modern browsers once this happens. This may also affect testing environments hosted on

Publishing a DMARC policy

Government Digital Service has published guidance on how to implement secure email practices including Domain-based Message Authentication, Reporting and Conformance policies, known as DMARC. Such policies ensure your domain cannot be used by email phishers and scammers.

Services should publish a DMARC policy and set it to the highest level, called ‘p=reject’. If you have not set up this policy by 1 October 2016, your emails may be rejected by external email providers.

As a temporary measure, if your team cannot set the DMARC policy to p=reject in this time period, you should should publish a record using ‘p=none’ to override the default policy.

These updates are aimed at maintaining secure services and trust in digital government services. In relation to this, we’ll soon be publishing new security content in the Service Manual to help service teams pass the Service Standard. Stay tuned!