Implementing security.txt.

A new standard has been proposed that will allow web sites to provide a way to communicate security-related issues. A “security.txt” file containing the relevant information should be placed in the “.well-known” directory of the web server.

The securitytxt.org website has a form that allows you to quickly generate the text to be included in the “security.txt” file.

Copy the text just generated and paste it into the appropriate security.txt file on your web sever.

To do this first go to the root directory of your webserver in our case “/var/www/virtual/example.com/htdocs”.

# cd /var/www/virtual/example.com/htdocs

Now create a new directory “.well-known”

# mkdir .well-known

Create the security.txt file with the following information:

# vi security.txt

Contact: https://example.com/contact/
Expires: 2024-02-12T23:00:00.000Z
Canonical: https://example.com/.well-known/security.txt
Encryption: https://example.com/gpg.asc

Note that for “Contact”, we refer to a contact form on the web site to avoid putting an email address in the file that is prone to email scraping. Furthermore make sure the expiration date is less than 1 year and “example.com” is replaced by the relevant domain name of your website.

To comply with applicable standards, the security.txt file should be digitally signed. To do this, we must first create a GPG key.

If you are working with virtual hosts you must generate a new key for each domain.

# gpg --gen-key

gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Enter the domain after “Real name” when prompted.

Real name: example.com

Next enter “Email address” when prompted.

Email address: info@example.com

Enter “O” for okay to finish the process and create key

You selected this USER-ID:
    "example.com <info@example.com>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O

Enter password (twice) when prompted.

Export the public key to a file we call gpg.asc and save it in the webroot.

# gpg --export -a --output ./gpg.asc info@example.com

Change the owner of the file to the user assigned to the web server in our case “www-data”.

# chown www-data:www-data gpg.asc

Using the new key, sign the security.txt file.

# gpg -u info@example.com --clear-sign security.txt

This process will ask you for the password you used to create the key innitially and will create a new file security.txt.asc

Finally, we can copy the signed file security.txt.asc to the ./well-known directory where the file is also renamed security.txt.

# cp security.txt.asc .well-known/security.txt

To verify that your security.txt meets all the requirements and the digital signature is valid you can run an online test at internet.nl or better at Uriports.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.