US flag signifying that this is a United States Federal Government website An official website of the United States government



Here’s what does to support relevant federal standards and recommendations, for applications on * and custom domains.

IPv6 has basic support for IPv6. supports two types of application access, external and internal. External access is when traffic reaches an application from outside the platform, such as from an office, external application, or user. Internal traffic is traffic which leverages the platform’s internal DNS to allow applications to communicate without ever leaving the platform’s network boundaries. IPv6 is supported for external access. For internal access, only IPv4 is supported. When you deploy a new application, for external IPv6 traffic, you do not have to take any action, and most applications will know to use IPv4 internally as’s internal DNS provider will leverage IPv4. If you have more questions or security questions, please contact Support.

HTTPS ensures all applications are accessible only over HTTPS with HTTP Strict Transport Security (HSTS) headers in accordance with the HTTPS-Only Standard. Any HTTP requests are permanantly redirected to HTTPS. You don’t have to take any action.

HSTS preloading sets Strict-Transport-Security headers for all applications by default, and has added the domain/subdomains to the HSTS preload list for most major browsers.

You are responsible for setting up HSTS preloading for your custom domain. doesn’t set this up for you. If you need HSTS preloading, follow the guidance from the maintainers of the HSTS preload list. The HTTPS-Only Standard encourages HSTS preloading.

Additional details are available in the FedRAMP P-ATO documentation package, including in System Security Plan controls SC-8, SC-12, and SC-20.

DNSSEC does not currently support DNSSEC on domains. For example, an application at * would not support DNSSEC.

OMB memo M-18-230 rescinds M-08-23, the OMB memo that originally mandated DNSSEC for federal systems. You should consider carefully whether DNSSEC is still a requirement for your system.

If you do need DNSSEC for your custom domain, you are responsible for configuring DNSSEC in your DNS system. can’t configure DNSSEC for you because does not have access to your DNS system. supports mapping your DNSSEC-enabled custom domain to your applications hosted on – see DNSSEC support for the CDN service and DNSSEC support for the custom domain service.

Additional details are available the System Security Plan, including controls SC-20, SC-21, SC-22, and SC-23.