govuk-infrastructure: 0012-non-govuk-domain-policy
Date: 2025-05-06
Status
Accepted
Definitions
This proposal uses the RFC2119 standard for definitions of MUST, MUST NOT and MAY.
Definitions:
- "Authenticated": through an authentication method such as
Signon, through basic access authentication, or similar - "Non-GOV.UK domain": a domain that does not end in
gov.uk, such asgovuk.digitalorgovuk-internal.digital. We considerassets.publishing.service.gov.ukto be a GOV.UK domain.
Context
It is dangerous to have a Non-GOV.UK domain that is publicly accessible, without an authentication layer, and does either of the following:
- Looks like a GOV.UK site
- Plays any publicly detectable part in serving content to a GOV.UK site
In either case, systems such as Google's Safe Browsing, in use by browsers to automatically block requests to dangerous sites, might flag the domain as a phishing site.
At best, this would be an inconvenience, perhaps making it difficult to access internal tooling. At worst, this could cause a major incident, making large parts of GOV.UK inaccessible.
Proposal
Any web page that lives on a Non-GOV.UK domain, and looks like a page or service on GOV.UK, MUST either be Authenticated or unavailable to the public internet.
Additionally, the serving of any GOV.UK web page or assets MUST NOT use a Non-GOV.UK domain in any publicly detectable part of the request. Some examples of things to avoid:
- Using a Non-GOV.UK domain in the redirect chain for a GOV.UK page or asset.
- Making requests to a Non-GOV.UK domain for metadata associated with a GOV.UK page or asset. For example, a request for a GOV.UK asset triggering a second request for a favicon from a Non-GOV.UK domain.
To be clear, a Non-GOV.UK domain MAY be used in serving GOV.UK pages or assets, provided the domain in question is not
publicly detectable. For example, govuk-internal.digital MAY be used under the hood to process a request, provided the
domain is not exposed to the browser at any point in the request.