Web Sites and Services Management Configuration Requirements

On this page

• 1. Websites and services hardening
• 2. Web application development
• 3. Service continuity for online services
• 4. Systems management

---

1. Websites and services hardening

1.1 Ensure that all production websites and web services are configured to provide service only through a secure connection that is configured for HTTPS (and redirected from HTTP).

1.2 Enable HTTP Strict Transport Security (HSTS).

1.3 Follow the guidance Recommendations for TLS Server Certificates for GC Public Facing Web Services for Transport Layer Security (TLS) server certificates.

1.4 Implement TLS 1.2, or subsequent versions, and use supported cryptographic algorithms and certificates, as outlined in:

• 1.4.1 Guidance on Securely Configuring Network Protocols ITSP.40.062, subsection 3.1 AES Cipher Suites; and
• 1.4.2 Cryptographic Algorithms for Unclassified, Protected A, and Protected B Information (ITSP.40.111)
• 1.4.3 Disable all other cryptographic algorithms.

1.5 Disable known weak protocols such as Secure Sockets Layer (SSL) v2 and v3 and TLS 1.0 and 1.1.

1.6 Disable known weak ciphers (RC4 and 3DES).

2. Web application development

2.1 Robust web application frameworks are used to aid in developing secure web applications.

2.2 Validation and/or sanitzation is performed on all input handled by a web application.

2.3 Output encoding is performed on all output produced by a web application.

2.4 Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers.

2.5 Departments and agencies to follow the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) when developing web applications.

3. Service continuity for online services

3.1 Where a high-availability requirement exists, online services:

• 3.1.1 Are architected to automatically transition between availability zones;
• 3.1.2 Use a denial-of-service mitigation service; and
• 3.1.3 Use GC-approved content delivery networks (CDN) that cache websites and protects access to the origin server.

4. Systems management

4.1 Information systems used for processing payment card transactions or connected to payment card transaction processing systems comply with the Payment Card Industry Data Security Standard.

4.2 All operating systems, software applications, hardware and firmware that support websites and services are actively patched to mitigate known software flaws and vulnerabilities.

4.3 Configure logging-on IT assets that support websites and services, in alignment with GC Event Logging Guidance, to improve the ability to detect and identify anomalous behaviours and for subsequent forwarding to an approved GC centralized security event and information log system to support incident response and forensic analysis.

4.4 Continuously assess risks to publicly accessible web applications. and address vulnerabilities as soon as they are discovered.

4.5 Publish a security.txt to provide contact information on where to report vulnerabilities (for example, contact@cyber.gc.ca).