SECURITY

From NikkiWiki
Jump to navigation Jump to search
[Image.]  A "/security.txt" file helps to make your website more secure by providing a standardized means for security researchers to contact you about any security vulnerabilities discovered on your website.  Photo depicts a secured red padlock with a heart-shaped pattern of glittery sequins. [1] [2] [3]

The SECURITY website protocol involves adding a plaintext file of "/security.txt" and/or "/.well-known/security.txt" that provides information about how to contact the website administrator in the case that any security vulnerabilities are discovered on the website. [4]

HUMANS

SECURITY is somewhat redundant with HUMANS and more technical to set up and use.  If you already have "/humans.txt" then you don't really need "/security.txt" but it can be helpful as it provides a standardized way for security researchers (as opposed to any human) to reach you in case a security vulnerability is discovered on your website.

documentation

editor

As with all webtext files, you should use an advanced text editor such as Notepad-Plus-Plus (not Microsoft Windows Notepad). [5]  Files should be saved with Unix line endings and UTF-8 (Unicode Transformation Format Eight-Bit) character encoding.

directory

I recommend to put "security.txt" in the root webdirectory ("/") together with "/robots.txt", "/sitemap.txt", and "/humans.txt", but a copy should also be placed in "/.well-known/" since this is the recommended location from the protocol.  When you make an update to "security.txt", remember to save it to both locations.

comments

Comments are added to SECURITY with a hash ("#") at the beginning of a new line.

example

"/security.txt" for Nicole Sharp's Website is given below.

Contact: https://www.nicolesharp.net/wiki/Nicole_Sharp
Expires: 2024-01-18T00:00:00.000Z
Acknowledgments: https://www.securitytxt.org/
Preferred-Languages: en
Canonical: https://www.nicolesharp.net/security.txt
Policy: https://www.nicolesharp.net/wiki/security_for_Nicole_Sharp's_Website
# Security for Nicole Sharp's Website.
# 2023-09-05 Nicole Sharp
# https://www.nicolesharp.net/

EXPIRES

The "Expires" field should be for either a) the day before your next domain name registration renewal date or b) the day before your next webhosting service renewal date, whichever is soonest.  If you don't renew your domain name registration or your webhosting service, bad things can happen and your website security policy should be considered voided (since you don't have a website any more).  This also means that you should update "security.txt" each time you renew your domain name registration and/or webhosting service.

The actual date of expiration depends on timezone so set the expiration to zero hundred hours zulu (UTC) the day before the date of expiration.  This will put the time of the expiration for the website security policy as somewhere between zero and twenty-four hours before the time of expiration for the website.

CANONICAL

"Canonical" refers to the preferred uniform resource locator (URL) for "security.txt".  If you forget to update "/.well-known/security.txt", it tells security researchers that the canonical version is at "/security.txt" instead.

ROBOTS

SECURITY should be added to the Robots Exclusion Protocol ("/robots.txt") as a comment ("#"). [6] [7] [8]  This lets anyone viewing the Robots Exclusion Protocol for the website know that you have specified a contactpage to report security vulnerabilities to.  An example Robots Exclusion Protocol with SECURITY is given below.

User-agent: *
Disallow:
Sitemap: https://www.example.net/sitemap.txt
# Security: https://www.example.net/security.txt
# Humans: https://www.example.net/humans.txt

see also

references

  1. commons:category:padlocks
  2. commons:category:padlocks by color
  3. commons:category:red padlocks
  4. https://www.securitytxt.org/
  5. https://www.notepad-plus-plus.org/
  6. ROBOTS#SECURITY
  7. https://www.rfc-editor.org/rfc/rfc9309
  8. https://www.robotstxt.org/

keywords

cybersecurity, development, ROBOTS, robots.txt, security, security.txt, TXT, webdevelopment