Policy

Security policy

This policy describes the technical and organisational measures the Goa Football Development Council (GFDC) takes to protect this website and the information citizens submit through it.

1. Framework

This site is secured in line with the Guidelines for Indian Government Websites and Apps (GIGW 3.0), the Information Technology Act, 2000 (as amended) and the security advisories issued by the Indian Computer Emergency Response Team (CERT-In).

2. Hosting and infrastructure

  • The site is hosted within India on infrastructure certified to the standards prescribed for government websites.
  • The operating system and web server are kept current with security patches.
  • Administrative access to the server is restricted to a small group of authorised personnel and is audited.

3. Transport security

  • HTTPS is enforced site-wide. HTTP requests are redirected to HTTPS.
  • TLS 1.2 or higher is required; legacy protocols are disabled.
  • Strict-Transport-Security (HSTS) is enabled.

4. Application security

  • The application is developed following the OWASP Top 10 secure-coding practices.
  • All user input is validated and sanitised on the server. Database access uses parameterised queries.
  • Forms are protected against cross-site request forgery (CSRF).
  • The Content Security Policy header restricts the scripts, styles and images the browser will load.
  • Sensitive data — passwords, tokens, identification numbers — is never placed in URLs, browser storage or logs.

5. Audit and testing

  • An annual vulnerability assessment and penetration test is performed by a CERT-In empanelled auditor.
  • A re-audit is performed after every major release.
  • Audit findings are tracked to closure; the site does not go live with an open critical or high-severity finding.

6. Backup and recovery

Content and code are backed up daily and verified. The Contingency Management Plan sets out the Recovery Time and Recovery Point Objectives in detail.

7. Visitor responsibilities

Visitors are requested to use a current browser, keep their operating system patched, and report any suspicious behaviour they observe on this website.

8. Reporting a vulnerability

If you believe you have identified a security vulnerability in this website, please report it responsibly to contact[at]gfdc[dot]in. Please include a clear description and the steps required to reproduce the issue. We will acknowledge receipt within three working days and keep you informed as we investigate. Please do not publicly disclose the vulnerability before it has been addressed.

Last reviewed: