Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guidelines on Active Content and Mobile Code



Wayne Jansen


[Superseded by SP 800-28 Version 2 (March 2008):] Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation, to execute when the document is rendered. Like any technology, active content can be used to deliver essential services, but it can also become a source of vulnerability for exploitation by an attacker. The purpose of this document is to provide an overview of active content and mobile code technologies in use today and offer insights for making informed IT security decisions on their application and treatment. The discussion gives details about the threats, technology risks, and safeguards for end user systems, such as desktops and laptops. Although various end user applications, such as email clients, can involve active content, Web browsers remain the primary vehicle for delivery and are underscored in the discussion. The tenets presented for Web browsers apply equally well to other end user applications and can be inferred directly.
Special Publication (NIST SP) - 800-28
Report Number


Active content, email security, malware, mobile code, Web security


Jansen, W. (2001), Guidelines on Active Content and Mobile Code, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed May 18, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created October 17, 2001, Updated November 10, 2018