The security.txt file

Forum Moderators: phranque

Message Too Old, No Replies

The security.txt file

keyplyr

3:42 am on Feb 27, 2018 (gmt 0)

“The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.”

source: [securitytxt.org...]

The security.txt file should be placed in the /.well-known/ directory. If you cannot use this directory, use the base level directory.

Example of security.txt content:

Contact: mailto:example@example.com

Contact: tel:+1-###-###-####

Contact: https://www.example.com/contact.html

Encryption: https://www.example.com/pgp-key.txt*

Policy: https://www.example.com/policy.html

*If you store your own Public Key, use that path. If it is stored remotely & is HTTP accessible, use that URI. If unknown, leave blank.

Other optional fields explained here. [securitytxt.org]

- - -

TravisDGarrett

10:23 am on Feb 27, 2018 (gmt 0)

Reminds me of P3P, even if the purpose was not the same, most of these information were already included in the P3P file...

phranque

1:26 pm on Feb 27, 2018 (gmt 0)

or the humans.txt file [webmasterworld.com]...

keyplyr

6:45 pm on Feb 27, 2018 (gmt 0)

Apples and oranges. This is web security.

I've been seeing several requests for security.txt each week from different agencies.

lucy24

8:03 pm on Feb 27, 2018 (gmt 0)

I've been seeing several requests for security.txt each week from different agencies.

Also dnt-policy.txt in the /.well-known/ directory.

Is there a thread that explains the history and purpose of .well-known?

keyplyr

8:05 pm on Feb 27, 2018 (gmt 0)

.well-known is a hidden directory that is purposed for site-wide metadata. [serverfault.com...]

lucy24

11:28 pm on Feb 27, 2018 (gmt 0)

purposed for site-wide metadata

Ah, thanks.

:: wandering off to code a manual 404 for /.well-known/ requests, since I don't have the directory and it saves trouble all around ::