Beta This is new guidance. Complete our quick 5-question survey to help us improve it.

  1. Service manual
  2. Technology
  3. Managing domain names

You need to set up subdomains and manage them to make sure your service is secure and users can find it using search engines. This guidance only applies to domains.

Find out how to get a domain name.

Meeting the Digital Service Standard

To pass point 5 (iterate and improve frequently) in your service assessments, you must show how you manage your service domain names.

Creating additional subdomains

After you get a public-facing domain name, you can create additional subdomains, for example for development environments. You shouldn’t create separate domains for application programming interfaces (APIs).

You should also read the using HTTPs guide to find out how to serve your assets efficiently.

Setting up domains for multiple environments

You should have multiple ‘environments’ for the development, testing and live (also known as ‘production’) versions of your service.

Using separate development and testing environments will allow you to assess the accuracy and quality of the service before it goes live.

You should structure your environment subdomains to follow the same format as the subdomains in your live service, for example

Protect any testing and development domains, including APIs, with a username and password.

If the service is a private alpha or private beta release, you should also protect it with a username and password that’s known only to your development team and any users testing the service.

Securing your domain name

You must make sure that your domain can only be accessed through HTTPS. Your service must not accept HTTP connections under any circumstances.

This will make sure that any personal information your service collects from users can’t be intercepted by malicious third parties as it travels over the internet.

Once you have set up HTTPS, you must enable HTTP Strict Transport Security (HSTS) on any production domains, for example You can do this by setting an HTTP response header such as Strict-Transport-Security: max-age=31536000, includeSubDomains; for 14 days.

Once you’re confident that HSTS is working, you should increase the timescale to up to one year.

Using robots.txt and root level redirections

You should make sure users always begin on the GOV.UK start page for your service.

To do this, you need to:

  • ask search engines not to index pages on your domain
  • direct users to the relevant GOV.UK start page if they go to the service’s domain name

To do this, you must have a robots.txt file on all subdomains. The robots.txt file must ask search engines not to index any part of the site and should include: User-agent: * Disallow: /

You should also serve this meta tag on every page: <meta name="robots" content="noindex, nofollow">

You must also have an HTTP 301 redirection from the top-level index page of the www and assets subdomains to your service’s GOV.UK start page. This means that your service’s GOV.UK start page shouldn’t link to the root of the www domain.

Emailing your users

If you want to use your service domain to send emails to users, you must follow the How to email your users guide to make sure they get your emails and protect them from spam and phishing.

If you won’t send emails from your service domain

If you don’t intend to email users from your service domain, you must make sure it’s protected from spoofing attacks.

Use Common Technology Services (CTS) guidance to find out how to protect domains that don’t send email.

You may also find the Deciding how to host your service guide useful.

Published by:
Standards and assurance community
Last update:

Opening line changed to clarify this guidance is only for domains.

  1. Guidance first published