{ "version" : "https://jsonfeed.org/version/1", "content" : "resources", "type" : "single", "title" : "An introduction to web security |Digital.gov", "description": "An introduction to web security", "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/resources/an-introduction-to-security/index.json","item" : [ {"title" :"An introduction to web security","deck" : "Understand how security impacts your website","summary" : "Guidance on meeting security requirements for federal websites.","date" : "2023-12-12T16:14:00-05:00","date_modified" : "2025-01-27T19:42:55-05:00","topics" : { "digital-service-delivery" : "Digital service delivery", "public-policy" : "Public policy", "security" : "Security" },"branch" : "bc-archive-content-3", "filename" :"an-introduction-to-security.md", "filepath" :"resources/an-introduction-to-security.md", "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/resources/an-introduction-to-security.md", "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/resources/an-introduction-to-security.md","slug" : "an-introduction-to-security","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/resources/an-introduction-to-security/","weight" : "1","content" :"\u003ch2 id=\"what-is-web-security\"\u003eWhat is web security?\u003c/h2\u003e\n\u003cp\u003eA secure website protects information and keeps users safe. Web security means employing the latest security protocols, providing services through a secure connection, and implementing controls to ensure that the right person with the right privileges can access the right information at the right time (known as identity, credential, and access management, or ICAM).\u003c/p\u003e\n\u003ch2 id=\"why-is-security-important\"\u003eWhy is security important?\u003c/h2\u003e\n\u003cp\u003eA core responsibility of federal agencies is to protect users and their information when using our websites and online systems.\u003c/p\u003e\n\u003cp\u003eFollow current federal IT security policies, promptly install the latest security patches, deliver information via secure channels, and validate access to prevent the inappropriate disclosure of sensitive information. Your agency must also ensure information is resistant to tampering, remains confidential as necessary, and is available as intended by the agency, and expected by users.\u003c/p\u003e\n\u003ch2 id=\"how-to-meet-web-security-requirements\"\u003eHow to meet web security requirements\u003c/h2\u003e\n\u003cp\u003eProvide general information to the public about security protocols, and provide a way for the public to report vulnerabilities.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eAssessments and testing\u003c/strong\u003e - Regularly assess risks to your websites, and conduct security testing based on that assessment. Keep security certificates up-to-date, and patch any vulnerabilities immediately.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication\u003c/strong\u003e - If you need to provide authentication services, use a standard authentication tool such as \u003ca href=\"https://login.gov/\"\u003eLogin.gov\u003c/a\u003e to provide multi-factor and phishing-resistant authentication. Follow U.S. Web Design System (USWDS) guidance to develop \u003ca href=\"https://designsystem.digital.gov/page-templates/authentication-pages/\"\u003eauthentication pages\u003c/a\u003e that provide users with a consistent login experience. When appropriate, allow repeat visitors who have logged in to auto-populate forms with saved information, such as contact information. Use appropriate identity verification when greater assurance of identity is needed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEmbedded third-party resources\u003c/strong\u003e - If using web assets that are hosted on third-party services not under agency control, do not embed static third-party assets (such as PDF files); embedding dynamic third-party resources that are necessary for digital service delivery (like analytics services) is permitted.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecure connections\u003c/strong\u003e - Provide content and services through a secure connection. Use a .gov or .mil domain name for public-facing websites and digital services, and work with the \u003ca href=\"http://www.get.gov\"\u003eDotGov program\u003c/a\u003e at the \u003ca href=\"https://www.cisa.gov/stopransomware/cyber-hygiene-services\"\u003eCybersecurity and Infrastructure Security Agency (CISA)\u003c/a\u003e to “preload” agency-owned .gov domains as HTTPS-only in web browsers. Add the \u003ca href=\"https://designsystem.digital.gov/components/banner/\"\u003eUSWDS banner component\u003c/a\u003e to show that your site is an official government website and uses secure connections. Allow agencies to securely access resources across existing systems and emerging platforms with \u003ca href=\"https://www.cisa.gov/safecom/icam\"\u003eIdentity, Credential, and Access Management (ICAM)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerabilities\u003c/strong\u003e - Publish a website \u003ca href=\"https://digital.gov/resources/required-web-content-and-links/#security-2\"\u003evulnerability disclosure policy (VDP)\u003c/a\u003e as a way for the public to safely report potential security vulnerabilities, and explain how your agency will respond to such reports.\u003c/li\u003e\n\u003c/ul\u003e\n"} ] }