Skip to content

Instantly share code, notes, and snippets.

@cwage

cwage/nashville-gov-security-report.md

Created March 18, 2026 05:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save cwage/f4324a60f9b6c7dad02aa705ae72e14d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save cwage/f4324a60f9b6c7dad02aa705ae72e14d to your computer and use it in GitHub Desktop.
Download ZIP
Nashville.gov Web Security Findings — 2026-03-18
Raw
nashville-gov-security-report.md

Nashville.gov — Web Security Findings

Date: 2026-03-18 Method: External-only analysis of publicly accessible information (DNS, HTTP headers, HTML forms, TLS certificates). No systems were accessed, exploited, or tested beyond what any web browser does.

Summary

A review of 75 nashville.gov subdomains found that two court e-filing portals have unprotected login pages, and the majority of the city's web services are missing standard security headers that modern browsers rely on to protect users.

Key Findings

1. Court E-Filing Login Pages Are Unprotected

efile.nashville.gov and circuitefile.nashville.gov — used by attorneys and the public to file court documents — have login forms with no cross-site request forgery (CSRF) protection. Their session cookies lack security flags that prevent them from being stolen or misused.

In plain terms: a malicious website could potentially trick a user's browser into submitting credentials to these portals, or steal an active session. The login pages can also be embedded invisibly in other websites (clickjacking).

2. Most City Websites Are Missing Security Headers

Out of 61 reachable city websites:

Protection Missing On
Content-Security-Policy 67%
X-Frame-Options (clickjacking prevention) 64%
Strict-Transport-Security (force HTTPS) 54%

These are standard protections that can be deployed centrally in minutes via the city's web infrastructure. Their absence leaves users more exposed to phishing, session theft, and content injection.

3. Other Notable Issues

  • dcso.nashville.gov (Sheriff's Office) and paytraffic.nashville.gov (traffic tickets) have search forms without CSRF protection
  • engage.nashville.gov (civic engagement) sets 9 cookies without SameSite flags, scoped broadly to all of nashville.gov
  • epermits.nashville.gov (building permits) displays verbose internal error messages to the public
  • 14 subdomains still have public DNS records but are no longer serving content — unnecessary attack surface
  • Internal server names and infrastructure details are leaking through session cookies and TLS certificates

Recommendations

  1. Immediately fix the efile/circuitefile login forms — add CSRF tokens and secure the session cookies
  2. Deploy security headers across all city web properties at the load balancer or reverse proxy level — this is a single configuration change that protects everything
  3. Audit cookies across all applications for proper SameSite, Secure, and HttpOnly flags
  4. Clean up DNS — remove records for the 14 decommissioned services

What This Is (and Isn't)

This report is based entirely on publicly visible information — the same things any visitor's web browser sees when loading these pages. No passwords were guessed, no systems were accessed, and no vulnerabilities were exploited. The findings describe what an attacker could observe and potentially leverage, not what was actually done.

A full technical report with evidence and scan data is available on request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment