“Extended Code Guardrails” (XCG) was jointly developed by GovTech’s Cyber Security Group (CSG) and A*STAR’s Institute for Infocomm Research to eliminate the undesirable effects of insecure code through a secure-by-default framework. XCG brings web application security to the next level by removing or limiting insecure behaviours in applications. Hence, the impact of vulnerabilities is reduced or removed, even when developers write insecure code by accident.
Many of the vulnerabilities that XCG addresses are high-risk in nature, found in the OWASP Top-10, and have been around for over 20 years. These include “Cross-site Scripting” (XSS), “OS command injection”, and “Indirect Object References (IDOR)”.
XCG uses Django, a high-level Python web framework that encourages rapid development. Built and maintained by experienced developers, Django handles many web application development hassles, so developers can focus on writing apps without reinventing the wheel.
XCG is supported by the Smart Nation and Digital Government Office (SNDGO) and the National Research Foundation (NRF), under the Public Sector Translational R&D Grant Funding Initiative (TRANS Grant).
How It Works
XCG comprises several independent Django modules that alter Django’s behavior to close security gaps. Each module safeguards the application from a specific category of vulnerability, with minimal configuration or modification to the application.
Developers can incorporate XCG modules in their existing Django web applications or build a fresh Django web application with XCG starter kits.
- Enhances security of web applications
- Increases speed of application development
- Enables developers to focus on coding functional behavior for the application, instead of reimplementing or incorporating security controls in an insecure way
XCG is free and can be used for any Singapore government projects.
Reach out to the product team with your queries or feedback through this form.
Last updated 18 August 2023
Thanks for letting us know that this page is useful for you!
If you've got a moment, please tell us what we did right so that we can do more of it.
Thanks for letting us know that this page still needs work to be done.
If you've got a moment, please tell us how we can make this page better.