Todays blog post is a simple thing, that a co-worker made me aware of. Do you have some service available on the internet? Would you like to know if there are security vulnerabilities in the service? And would like to ease the life of security researchers if they find such a vulnerability?

For exactly this use case, there is the convention of having a security.txt. Basically this is just a text file placed under /.well-known/security.txt which specifies some parameters on who and how to contact, in case someone found vulnerabilities.

Creating the file

The content of the file can be easily crafted manually (see RFC 9116) or you can use a generator, e.g. https://securitytxt.org

There are several options, but the minimal file can be as simple as:

Contact: mailto:admin@example.com
Expires: 2023-03-31T00:00:00.000Z

If you want to sign it with your GPG key, it is recommended to include the canonical URL. The signing itself you should do on your local machine with gpg --clear-sign security.txt

Publishing the file

To make the security.txt available on all subdomains, I added this snippet to all my nginx server configurations:

location = /.well-known/security.txt {
    alias /srv/security.txt;
}

Additionally it is recommended to also make the security.txt available under /security.txt. For this I added some redirects:

location = /security.txt {
    return 301 https://$host/.well-known/security.txt;
}

And tadaa, it is available under https://blog.simon-dreher.de/.well-known/security.txt