Government digital experience standards

Based on public policy, web protocol, guidelines and best practices.

Standard	Why	Guidance
Content security policy (CSP) The site restricts what can be loaded.	Helps stop hackers by blocking harmful code from running on your website.	CISA Website Security
HTTP Strict Transport Security (HSTS) Site upgrades to a secure connection.	Forces secure connections, protecting user data by making websites always load with encryption.	21st Century Integrated Digital Experience Act CISA Website Security CISA Cybersecurity Performance Goals Memorandum (M-23-22)
security.txt The site has a security.txt file.	Provides contact info for reporting security issues, helping site owners fix problems quickly and keep users safe.	CISA Cybersecurity Performance Goals RFC 9116
X-Content-Type-Options The site prevents mime type sniffing.	Stops browsers from guessing file types, helping prevent security risks by enforcing correct content handling.	OWASP Top 10
Errors in the console Tracks mistakes in code for debugging.	Signals problems in website code, helping developers fix issues that could affect how the site works or displays.
Clickjacking mitigation Stops fake clicks on hidden content.	Prevents malicious websites from tricking users into clicking hidden elements, enhancing site security and protecting user actions.	OWASP Top 10
Paste preventing inputs Page doesn't allow copy-paste into inputs.	Negatively impacts user experience and weakens security by blocking password managers.