Rob's web

Security.txt

security.txt is an accepted standard for website security information that allows security researchers to report security vulnerabilities easily.[1] The standard prescribes a text file called security.txt in the well-known location, similar in syntax to robots.txt but intended to be machine- and human-readable, for those wishing to contact a website's owner about security issues.

Location

Store the file in the /.well-known directory.

The server must run with https to deliver the file. https://www.example.com/.well-known/security.txt.

Creating an security.txt file

Security.txt is a plain text file that you can make your self or use a wizard like securitytxt.org

Copy the text in an txt file and save it.

The encryption key is users pgp key.

The below is the minimum.

# cd 
# vi security.txt
Expires: 2025-09-30T21:59:00.000Z
Contact: mailto: webmaster@example.com
Encryption: https://www.example.com/.well-known/pgp-key.txt
Preferred-Languages: nl, en, de
Canonical: https://www.example.com/.well-known/security.txt

Signing the file

Creating the key-pair

First we need a key-pair for signing. If you had already one made you can skip it.

# cd
# gpg --full-generate-key

Gpg will ask you to enter a pass-phrase. You can input spaces as well.

We need to generate a lot of random bytes. It is a good idea to perform
.....
gpg: key .... marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/.....rev'
public and secret key created and signed.
.....
# gpg --list-keys

We can sign security.txt now.

Signing security.txt

# gpg --clear-sign security.txt

Enter the pass-phrase. It will output security.txt.asc.

# gpg --verify security.txt.asc
.....
gpg: WARNING: not a detached signature; file 'security.txt' was NOT verified!
cp security.txt.asc /srv/www/vhosts/www.example.com/httpsdocs/.well-known/security.txt

Use the tool on internet.nl (dutch) or internet.nl (english) to check if you have implemented security.txt correctly. If the test is not sufficient, internet.nl will indicate what needs to be improved.

The only thing left is that there is no way to verify the signature of security.txt.