govuk-aws: 39. Non-GOV.UK domain policy
Date: 2022-10-10
Status
Accepted
Definitions
This proposal uses the RFC2119 standard for definitions of MUST, MUST NOT and MAY.
Definitions:
- "Authenticated": through an authentication method such as Signon, through basic access authentication, or similar
- "Non-GOV.UK domain": a domain that does not end in
gov.uk
, such asgovuk.digital
orgovuk-internal.digital
. Note thatassets.publishing.service.gov.uk
is considered a GOV.UK domain.
Context
It is dangerous to have a Non-GOV.UK domain that is publicly routable, without any authentication layer, and which does either of the following:
- Looks like a GOV.UK site
- Plays any publicly detectable part in serving content to a GOV.UK site
In either case, the domain might be flagged as a phishing site by systems such as Google's Safe Browsing technology, which is used by browsers including (but not limited to) Chrome to automatically block requests to the site.
At best, this would be an inconvenience, perhaps making it difficult to access internal tooling. At worst, this could cause a major incident, making large parts of GOV.UK inaccessible.
Proposal
Any web page that lives on a Non-GOV.UK domain, and that is designed to look like a page or service on GOV.UK, MUST either be Authenticated or Unavailable to the Public Internet.
Additionally, the serving of any GOV.UK web page or assets MUST NOT use a Non-GOV.UK domain in any publicly detectable part of the request. Some examples of things to avoid:
- Using a Non-GOV.UK domain in the redirect chain for a GOV.UK page or asset.
- Making requests to a Non-GOV.UK domain for 'metadata' associated with a GOV.UK page or asset, e.g. a request for a GOV.UK asset triggering a second request for a favicon from a Non-GOV.UK domain.
To be clear, a Non-GOV.UK domain MAY be used in serving GOV.UK pages or assets, provided the domain in question is not publicly detectable. For example, govuk-internal.digital
MAY be used under the hood to process a request, provided the domain is not exposed to the browser at any point in the request.
Consequences
A number of Signon domains are currently in violation of this proposal. They MUST either be made Authenticated, Unavailable to the Public Internet, or else moved to a GOV.UK domain.
- https://signon.integration.govuk.digital/
- https://signon.staging.govuk.digital/
- https://signon.production.govuk.digital/
We should consider what automated tests can be written to enforce this proposal GOV.UK-wide, e.g. in Smokey.
We should also consider the work involved and the merits of retiring any Non-GOV.UK domains.