We have recently started using a new-to-us web server security scanner that amongst other things will highlight the absence of a file – security.txt – in the root of the web server. And thus this blog entry explaining what it is, why we need it, and what the contents should be.
Note that this is not a HTML page but a plan text page and must be installed as such.
The intention behind security.txt is to provide a mechanism by which those who encounter security issues with a web site can make contact in an approved manner. To those who argue that the information is available elsewhere, the counter-argument is that it is a lot more helpful to have information available in a standardised location.
The minimum file should contain :-
Contact: email@example.com Preferred-Languages: en
You can add a second line for an additional contact if you wish :-
Contact: firstname.lastname@example.org Contact: email@example.com Preferred-Languages: en
The file must be named as precisely security.txt and must be either in the root of the web server “document root” or within a standard subdirectory (/.well-known/security.txt) (compliant with RFC8615).