US flag signifying that this is a United States Federal Government website An official website of the United States government

IPv6, HTTPS, and DNSSEC

IPv6, HTTPS, and DNSSEC

Here’s what cloud.gov does to support relevant federal standards and recommendations, for applications on *.app.cloud.gov and custom domains.

IPv6

cloud.gov ensures all applications are accessible over IPv6. You don’t have to take any action.

HTTPS

cloud.gov ensures all applications are accessible only over HTTPS with HTTP Strict Transport Security (HSTS) headers in accordance with the HTTPS-Only Standard. Any HTTP requests are permanantly redirected to HTTPS. You don’t have to take any action.

HSTS preloading

cloud.gov sets Strict-Transport-Security headers for all applications by default, and has added the cloud.gov domain/subdomains to the HSTS preload list for most major browsers.

You are responsible for setting up HSTS preloading for your custom domain. cloud.gov doesn’t set this up for you. If you need HSTS preloading, follow the guidance from the maintainers of the HSTS preload list. The HTTPS-Only Standard encourages HSTS preloading.

Additional details are available in the cloud.gov FedRAMP P-ATO documentation package, including in System Security Plan controls SC-8, SC-12, and SC-20.

DNSSEC

cloud.gov does not currently support DNSSEC on cloud.gov domains. For example, an application at *.app.cloud.gov would not support DNSSEC.

If you need DNSSEC for your custom domain, you are responsible for configuring DNSSEC in your DNS system. cloud.gov can’t configure DNSSEC for you because cloud.gov does not have access to your DNS system.

cloud.gov supports mapping your DNSSEC-enabled custom domain to your applications hosted on cloud.gov – see DNSSEC support for the CDN service and DNSSEC support for the custom domain service.

Additional details are available the cloud.gov System Security Plan, including controls SC-20, SC-21, SC-22, and SC-23.