Skip to main content
undefined
undefined

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

undefined

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Automated Site Reports

Automated Site Reports are a new feature being offered by Pages.

Users can generate scheduled or on-demand reports which check their website for security vulnerabilities, accessibility violations, and other relevant information to help improve their site. These reports are generated monthly or can be requested manually from the build history page. There are currently two reports available: ZAP Security Report and WCAG Accessibility Report.

ZAP Security Report

The ZAP Security Report tests your published website for common security vulnerabilities. It uses the Zed Attack Proxy (ZAP) software to passively scan the site for vulnerabilities but does not perform any attack or attempt to maliciously modify your site code. Example security findings include unintended exposure of sensitive data, SQL injection opportunities, cross-site scripting (XSS) flaws, and the use of components with known vulnerabilities. More details about the mechanisms used to generate this report and the resulting file output can be found at ZAP - Baseline Scan

WCAG Accessibility Report

This report identifies website accessibility violations from Section 508 and the latest WCAG version. The report is generated by first crawling your website to identify all pages to test. It then uses the open source portion of axe  to identify accessibility violations. The final report is a custom documented generated from the axe  output. Note that for sites without a page at the root of their domain, this report will fail because the site crawler will not find any pages.

Configuration

Automated Site Reports will automatically suppress certain findings which are irrelevant for statically hosted websites, based on unconfigurable server settings, or frequently produce ‘false positive’ findings for our customers.

False Positives

The following rules are suppressed because they are triggered by false findings: Source Code Disclosure , Hash Disclosure - MD4 / MD5  (in the /assets/styles  folder only)

Unconfigurable Server Settings

The following rules are suppressed because they are not able to be configured by the end user: Content Security Policy (CSP) Header Not Set , Permissions Policy Header Not Set , Cross-Domain Misconfiguration , Insufficient Site Isolation Against Spectre Vulnerability 

Other Exclusions

The following rules are suppressed because they demonstrate correct use of TTS properties (Digital Analytics Program and Search.gov) which nonetheless trigger security findings: Cross-Domain JavaScript Source File Inclusion , Absence of Anti-CSRF Tokens , Sub Resource Integrity Attribute Missing .

Details for certain suppressed findings are below:

Content Security Policy (CSP) Header Not Set

Pages sets headers for all sites with a single proxy application. Because headers cannot be managed per-site, this header is not set. To achieve nearly identical Content Security Policy (CSP) protection, site developers can add meta  tags to each page describing the CSP rules

ZAP link

Cross-Domain JavaScript Source File Inclusion

Inclusion of the Digital Analytics Program and Search.gov JavaScript files is the recommend pattern for using both services:

ZAP link

Absence of Anti-CSRF Tokens

The Search.gov search form does not perform actual HTML form submission and thus does not require a CSRF token.

ZAP link

Sub Resource Integrity Attribute Missing

The Digital Analytics Program does not currently publish scripts with a Sub Resource Integrity Attribute

ZAP link