Complete our quick 5-question survey to help us improve our content.


Managing service domains

Once you have a service domain name, you can set up subdomains for different environments. You must keep these subdomains secure.

This guidance only applies to domains. For more information about non-service domains, follow the guidance on naming and registering government websites.

Create additional subdomains

After you get a public-facing domain name, you can create additional subdomains (for example, for different environments).

You should try to avoid creating separate domains for APIs unless it makes sense for your service. For example, if you need to meet different availability criteria for your API than for the user facing service.

This means you must make sure your service is only accessible through HTTPS with an HTTP Strict Transport Security (HSTS) configuration.

Setting up domains for multiple environments

You should have multiple ‘environments’ for the staging, testing and live (also known as ‘production’) versions of your service.

Using separate staging and testing environments will allow you to assess the accuracy and quality of the service before it goes live.

You should structure your staging and testing environment subdomains to follow the same format as the subdomains in your live service, for example

Protect any testing and staging domains, including APIs, with a username and password.

If the service is a private alpha or private beta release, you must protect it with a username and password that’s known only to your development team and any users testing the service.

Securing your domain name

You must make sure that your domain can only be accessed through HTTPS. Your service must not accept HTTP connections under any circumstances.

This will make sure that any personal information your service collects from users can’t be intercepted by malicious third parties as it travels over the internet.

Once you have set up HTTPS, you must enable HTTP Strict Transport Security (HSTS) on any production domains, for example You can do this by setting an HTTP response header such as Strict-Transport-Security: max-age=31536000, includeSubDomains; for 14 days.

Once you’re confident that HSTS is working, you should increase the timescale to up to one year.

Emailing your users

If you want to use your service domain to send emails to users, you must follow the government guidance on emailing your users guide to make sure they get your emails and protect them from spam and phishing.

If you won’t send emails from your service domain

If you don’t intend to email users from your service domain, you must make sure it’s protected from spoofing attacks.

You may also find the Deciding how to host your service guide useful.

Last update:

Clarified the guidance on creating and managing subdomains.

  1. Opening line changed to clarify this guidance is only for domains.

  2. Guidance first published