The SECURITY website protocol involves adding a plaintext file of "
/security.txt" and/or "
/.well-known/security.txt" that provides information about how to contact the website administrator in the case that any security vulnerabilities are discovered on the website.  
- Internet Society Request for Comments (RFC) 9116: A File Format to Aid in Security Vulnerability Disclosure
security.txt: A Proposed Standard Which Allows Websites to Define Security Policies
As with all webtext files, you should use an advanced text editor such as Notepad-Plus-Plus (not Microsoft Windows Notepad).  Files should be saved with Unix line endings and UTF-8 (Unicode Transformation Format Eight-Bit) character encoding.
SECURITY is somewhat redundant with HUMANS and more technical to set up and use. If you already have "
/humans.txt" then you don't really need "
/security.txt" but it can be helpful as it provides a standardized way for security researchers (as opposed to any human) to reach you in case a security vulnerability is discovered on your website.
I recommend to put "
security.txt" in the root webdirectory ("
/") together with "
/sitemap.txt", and "
/humans.txt", but a copy should also be placed in "
/.well-known/" since this is the recommended location from the protocol. When you make an update to "
security.txt", remember to save it to both locations.
A canonical "
security.txt" should only be accessible by HTTPS (Hypertext Transfer Protocol Secure).
If your site does not have a security certificate, then you should use a comment in the Robots Exclusion Protocol ("
/robots.txt") instead of using "
security.txt" to specify any security contact info.    In the example Robots Exclusion Protocol below, "
security.txt" has been replaced by "
security.htm" as a nonsecure HTTP link to the security policy webpage without using the SECURITY protocol.
User-agent: * Disallow: Sitemap: http://www.example.net/sitemap.txt # Security: http://www.example.net/security.htm # Humans: http://www.example.net/humans.txt
Comments are added to SECURITY with a hash ("
#") at the beginning of a new line.
# A comment.
/security.txt" for Nicole Sharp's Website is given below.
Contact: https://www.nicolesharp.net/wiki/Nicole_Sharp Expires: 2024-01-18 Acknowledgments: https://www.securitytxt.org/ Preferred-Languages: en Canonical: https://www.nicolesharp.net/security.txt Policy: https://www.nicolesharp.net/wiki/security_for_Nicole_Sharp's_Website # Security for Nicole Sharp's Website. # 2023-09-06 Nicole Sharp # https://www.nicolesharp.net/
Expires" field should be for either a) the day before your next domain name registration renewal date or b) the day before your next webhosting service renewal date, whichever is soonest. If you don't renew your domain name registration or your webhosting service, bad things can happen and your website security policy should be considered voided (since you don't have a website any more). This also means that you should update "
security.txt" each time you renew your domain name registration and/or webhosting service.
Expires" takes the form of an ISO 8601 date. The actual date of expiration depends on timezone so you should set the expiration time to zero hundred hours zulu (UTC) the day before the date of expiration. This will put the time of the expiration for the website security policy as somewhere between zero and twenty-four hours before the time of expiration for the website.
Canonical" refers to the preferred uniform resource locator (URL) for "
security.txt". If you forget to update "
/.well-known/security.txt", it tells security researchers that the canonical version is at "
/security.txt" instead. The canonical URL (uniform resource locator) must be an HTTPS link.
SECURITY should be added to the Robots Exclusion Protocol ("
/robots.txt") as a comment ("
#"). This lets anyone viewing the Robots Exclusion Protocol for the website know that you have specified a contactpage to report security vulnerabilities to. An example Robots Exclusion Protocol with SECURITY is given below.
User-agent: * Disallow: Sitemap: https://www.example.net/sitemap.txt # Security: https://www.example.net/security.txt # Humans: https://www.example.net/humans.txt
security for Nicole Sharp's Website
commons:category:padlocks by color
cybersecurity, development, ROBOTS, robots.txt, security, security.txt, TXT, webdevelopment