Web Sites and Services Management Configuration Requirements

On this page


1. Websites and services hardening

1.1 Ensure that all production websites and web services are configured to provide service only through a secure connection that is configured for HTTPS (and redirected from HTTP).

1.2 Enable HTTP Strict Transport Security (HSTS).

1.3 Follow the guidance Recommendations for TLS Server Certificates for GC Public Facing Web Services for Transport Layer Security (TLS) server certificates.

1.4 Implement TLS 1.2, or subsequent versions, and use supported cryptographic algorithms and certificates, as outlined in:

1.5 Disable known weak protocols such as Secure Sockets Layer (SSL) v2 and v3 and TLS 1.0 and 1.1.

1.6 Disable known weak ciphers (RC4 and 3DES).

2. Web application development

2.1 Robust web application frameworks are used to aid in developing secure web applications.

2.2 Validation and/or sanitzation is performed on all input handled by a web application.

2.3 Output encoding is performed on all output produced by a web application.

2.4 Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers.

2.5 Departments and agencies to follow the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) when developing web applications.

3. Service continuity for online services

3.1 Where a high-availability requirement exists, online services:

4. Systems management

4.1 Information systems used for processing payment card transactions or connected to payment card transaction processing systems comply with the Payment Card Industry Data Security Standard.

4.2 All operating systems, software applications, hardware and firmware that support websites and services are actively patched to mitigate known software flaws and vulnerabilities.

4.3 Configure logging-on IT assets that support websites and services, in alignment with GC Event Logging Guidance, to improve the ability to detect and identify anomalous behaviours and for subsequent forwarding to an approved GC centralized security event and information log system to support incident response and forensic analysis.

4.4 Continuously assess risks to publicly accessible web applications and address vulnerabilities as soon as they are discovered.

4.5 Publish a security.txt to provide contact information on where to report vulnerabilities (for example, contact@cyber.gc.ca).

Page details

Date modified: