Overview

vets-website uses modern browser features to provide a secure experience for veterans. In general, these features are automatically included through the deployment process and require no configuration by front end engineers.

This is an overview not an implementation guide. These rules apply to VA.gov production environments. Not all security features will be used in local, development, or staging environments.

HTTPS

• All connections made to VA.gov must be secure (HTTPS)
• VA.gov implements HSTS and automatically redirects to a secure protocol if a non secure connection is attempted

Cross-Origin Resource Sharing (CORS)

• Some cross origin connections made to VA.gov must support CORS including all XHR connections and web font downloads.
• Updates to CORS headers returned by vets-api services or vets-website assets must be made through the devops team and must be reviewed by va platform frontend cop. Example:
  • Your application is on a VA.gov subdomain, needs to connect to vets-api, but is not currently listed in the allowed origins
• More info on cors
• CORS configurations:
  • production
  • staging

Content Security Policy (CSP)

• All VA.gov pages return a Content Security Policy header that allows only known scripts to run on the page
• The CSP is enforced i.e. not set to report-only
• The report-uri points to a VA platform error capturing service (Sentry)
  • VA.gov throttles these reports by including the report-uri only on a small % of responses
• Updates to CSP headers returned by or vets-website assets must be made through the devops team and must be reviewed by va platform frontend cop
• More info on CSP
• CSP configurations:
  • production
  • staging
  • dev