In June 2020, DotGov issued an announcement concerning HTTP Strict Transport Security (HSTS) and automatic preloading of .gov domains. To summarize: starting September 1, 2020, any newly issued .gov domains will only be accessible via HTTPS, and, at some point in the future, this will affect all .gov domains.
To be in compliance, all .gov domains issued after September 1st, 2020 will need to have valid Secure Sockets Layer (SSL) Transport Layer Security (TLS) certificates applied to the bindings of each .gov domain on the hosting provider’s web server. Previously issued .gov domains will also need valid certificates applied before the .gov Top-Level Domain (TLD) preloading occurs, at some point in the future.
If You Are a .gov Domain Owner
- To prepare for any upcoming changes, you can ensure you are compliant by checking to see whether https://[yourdomainhere].gov loads on your CivicPlus website.
- If this does not load, first check to ensure HTTP loads. If HTTP also does not load, check to see if the Domain Name System (DNS) record for the domain is pointing to the IP of your site.
- If HTTP loads but HTTPS does not, you may need to purchase an SSL certificate for the domain. Please contact your CivicPlus Customer Success Manager or account manager to get set up with an SSL certificate for the domain.
- Once you are set up with HTTPS, you can take additional steps to avoid mixed content errors and enable HTTPS-only to redirect any insecure domains or HTTP requests to HTTPS.
- If you are currently covered by a Distributed Denial-of-Service (DDoS) Advanced Security package or Platinum Security package for the domain, you can contact CivicEngage Support to have HSTS enabled now, before it is enforced by the TLD preloading measures.