|
|
| Line 1: |
Line 1: |
| [[image:Rome (Italy), Padlock at Ponte Palatino -- 2013 -- 3.jpg|thumb|[Image.]  A "<code>/security.txt</code>" file helps to make your website more secure by providing a standardized means for security researchers to contact you about any security vulnerabilities discovered on your website.  Photo depicts a secured red padlock with a heart-shaped pattern of glittery sequins. <ref><code>[[commons:category:padlocks]]</code></ref> <ref><code>[[commons:category:padlocks by color]]</code></ref> <ref><code>[[commons:category:red padlocks]]</code></ref>]] | | #redirect [[Solar System by orbit#Uranian System]] |
|
| |
|
| The SECURITY website protocol involves adding a plaintext file of "<code>/security.txt</code>" and/or "<code>/.well-known/security.txt</code>" that provides information about how to contact the website administrator in the case that any security vulnerabilities are discovered on the website. <ref><code>https://www.rfc-editor.org/rfc/rfc9116</code></ref> <ref><code>https://www.securitytxt.org/</code></ref>
| | [[category:astronomy]] |
| | |
| == documentation ==
| |
| | |
| * [https://www.rfc-editor.org/rfc/rfc9116 Internet Society Request for Comments (RFC) 9116: A File Format to Aid in Security Vulnerability Disclosure]
| |
| * [https://www.securitytxt.org/ <code>security.txt</code>: A Proposed Standard Which Allows Websites to Define Security Policies]
| |
| * [[wikipedia:security.txt|<code>security.txt</code> (Wikipedia)]]
| |
| | |
| == editor ==
| |
| | |
| {{webtext editor}}
| |
| | |
| == HUMANS ==
| |
| | |
| SECURITY is somewhat redundant with <u>[[HUMANS]]</u> and more technical to set up and use.  If you already have "<code>/humans.txt</code>" then you don't really need "<code>/security.txt</code>" but it can be helpful as it provides a standardized way for security researchers (as opposed to any human) to reach you in case a security vulnerability is discovered on your website.
| |
| | |
| * <u><code>https://www.nicolesharp.net/humans.txt</code></u>
| |
| | |
| == directory ==
| |
| | |
| I recommend to put "<code>security.txt</code>" in the root webdirectory ("<code>/</code>") together with "<code>[[ROBOTS|/robots.txt]]</code>", "<code>[[SITEMAP|/sitemap.txt]]</code>", and "<code>/humans.txt</code>", but a copy should also be placed in "<code>/.well-known/</code>" since this is the recommended location from the protocol.  When you make an update to "<code>security.txt</code>", remember to save it to both locations.
| |
| | |
| * <u><code>https://www.nicolesharp.net/security.txt</code></u>
| |
| * <u><code>https://www.nicolesharp.net/.well-known/security.txt</code></u>
| |
| | |
| == security ==
| |
| | |
| A canonical "<code>security.txt</code>" should only be accessible by HTTPS (Hypertext Transfer Protocol Secure).
| |
| | |
| === HTTP ===
| |
| | |
| If your site does not have a security certificate, then you should use a comment in the Robots Exclusion Protocol ("<code>/robots.txt</code>") instead of using "<code>security.txt</code>" to specify any security contact info. <ref><u><code>[[ROBOTS#SECURITY]]</code></u></ref> <ref><code>https://www.rfc-editor.org/rfc/rfc9309</code></ref> <ref><code>https://www.robotstxt.org/</code></ref>  In the example Robots Exclusion Protocol below, "<code>security.txt</code>" has been replaced by "<code>security.htm</code>" as a nonsecure HTTP link to the security policy webpage without using the SECURITY protocol.
| |
| | |
| <highlight lang="robots">
| |
| User-agent: *
| |
| Disallow:
| |
| Sitemap: http://www.example.net/sitemap.txt
| |
| # Security: http://www.example.net/security.htm
| |
| # Humans: http://www.example.net/humans.txt
| |
| </highlight>
| |
| | |
| == comments ==
| |
| | |
| Comments are added to SECURITY with a hash ("<code>#</code>") at the beginning of a new line.
| |
| | |
| == example ==
| |
| | |
| "<code>/security.txt</code>" for <u><cite class="u">[[Nicole Sharp's Website]]</cite></u> is given below.
| |
| | |
| <code><highlight lang="robots">
| |
| Contact: https://www.nicolesharp.net/wiki/Nicole_Sharp
| |
| Expires: 2024-01-18
| |
| Acknowledgments: https://www.securitytxt.org/
| |
| Preferred-Languages: en
| |
| Canonical: https://www.nicolesharp.net/security.txt
| |
| Policy: https://www.nicolesharp.net/wiki/security_for_Nicole_Sharp's_Website
| |
| # Security for Nicole Sharp's Website.
| |
| # 2023-09-06 Nicole Sharp
| |
| # https://www.nicolesharp.net/
| |
| </highlight></code>
| |
| | |
| == EXPIRES ==
| |
| | |
| The "<code>Expires</code>" field should be for either a) the day before your next domain name registration renewal date or b) the day before your next webhosting service renewal date, whichever is soonest.  If you don't renew your domain name registration or your webhosting service, bad things can happen and your website security policy should be considered voided (since you don't have a website any more).  This also means that you should update "<code>security.txt</code>" each time you renew your domain name registration and/or webhosting service.
| |
| | |
| "<code>Expires</code>" takes the form of an [[wikipedia:ISO 8601|ISO 8601]] date.  The actual date of expiration depends on timezone so you should set the expiration time to zero hundred hours zulu (UTC) the day before the date of expiration.  This will put the time of the expiration for the website security policy as somewhere between zero and twenty-four hours before the time of expiration for the website.
| |
| | |
| == PREFERRED-LANGUAGES ==
| |
| | |
| "<code>Preferred-Languages</code>" is the two-letter ISO 639-1 language code.
| |
| | |
| == CANONICAL ==
| |
| | |
| "<code>Canonical</code>" refers to the preferred uniform resource locator (URL) for "<code>security.txt</code>".  If you forget to update "<code>/.well-known/security.txt</code>", it tells security researchers that the canonical version is at "<code>/security.txt</code>" instead.  The canonical URL (uniform resource locator) must be an HTTPS link.
| |
| | |
| == ROBOTS ==
| |
| | |
| SECURITY should be added to the Robots Exclusion Protocol ("<code>/robots.txt</code>") as a comment ("<code>#</code>").  This lets anyone viewing the Robots Exclusion Protocol for the website know that you have specified a contactpage to report security vulnerabilities to.  An example Robots Exclusion Protocol with SECURITY is given below.
| |
| | |
| <highlight lang="robots">
| |
| User-agent: *
| |
| Disallow:
| |
| Sitemap: https://www.example.net/sitemap.txt
| |
| # Security: https://www.example.net/security.txt
| |
| # Humans: https://www.example.net/humans.txt
| |
| </highlight>
| |
| | |
| == see also ==
| |
| | |
| * <u><code>[[security for Nicole Sharp's Website]]</code></u>
| |
| * <u><code>https://www.nicolesharp.net/security.txt</code></u>
| |
| * <code>https://www.rfc-editor.org/rfc/rfc9116</code>
| |
| * <code>https://www.securitytxt.org/</code>
| |
| * <u><code>[[ROBOTS#SECURITY]]</code></u>
| |
| * <u><code>[[HUMANS]]</code></u>
| |
| | |
| == references ==
| |
| | |
| <references />
| |
| | |
| == keywords ==
| |
| | |
| <code>cybersecurity, development, ROBOTS, robots.txt, security, security.txt, TXT, webdevelopment</code>
| |
| | |
| {{#seo:|keywords=cybersecurity, development, ROBOTS, robots.txt, security, security.txt, TXT, webdevelopment}}
| |
| | |
| [[category:webdevelopment]] | |