What is a security.txt File and How to Add One to Your Website
In today’s digital age, website security is paramount. If you’re a website owner or administrator, you may already be familiar with common security practices, but have you heard of the security.txt file? This simple file acts as a direct communication channel for security researchers to report potential vulnerabilities on your website, helping you stay proactive in your security approach. In this guide, we’ll cover what a security.txt file is, why it’s essential, and how to add one to your website.
What is a security.txt File?
A security.txt file is a standardized way for websites to provide security contact information, making it easier for researchers to report security issues. The format was inspired by the commonly used robots.txt file for web crawlers and is guided by the RFC 9116 standard. Created by Edwin Foudil, this standard aims to improve communication between website owners and the security community, which ultimately fosters a safer internet for everyone.
Why You Should Use a security.txt File
Adding a security.txt file to your website offers several benefits:
- Facilitates Security Reporting: Researchers can quickly reach the right team if they discover a vulnerability.
- Builds Trust: Showing a clear, public commitment to security boosts your site’s credibility.
- Standardizes Security Contact Info: Having a
security.txtfile allows you to maintain a structured, accessible method for communication with security professionals.
Example of a security.txt File:
Here’s an example of how a typical security.txt file might look:
Contact: mailto:[email protected]
Expires: 2025-12-31T23:59:59.000Z
Encryption: https://example.com/pgp-key.txt
Acknowledgements: https://example.com/thanks
Policy: https://example.com/security-policy
Hiring: https://example.com/careers
How to Add a security.txt File to Your Website
Good News! If you are hosting your site via Cloudflare, you can add a security.txt file for free with their generator.
To add a security.txt file to your website, follow these simple steps.
Step 1: Create the security.txt File
- Open a text editor and input your preferred contact information, expiration date, encryption key link (if available), and links to any relevant pages, like your security policy.
- Save the file as
security.txt.
Step 2: Place the File in the .well-known Directory
For your security.txt file to be easily accessible, place it in a specific folder:
- Location:
https://yourdomain.com/.well-known/security.txt - The
.well-knowndirectory is an established standard location for files likesecurity.txt, ensuring they’re easily found by researchers.
Step 3: Upload the File
Use FTP, SFTP, or your hosting provider’s file manager to place the security.txt file into the .well-known directory. This directory should be located at the root level of your website.
Step 4: Verify Access
Test your setup by visiting https://yourdomain.com/.well-known/security.txt. If the file displays correctly in the browser, you’re all set.
Recommended Fields for a security.txt File
According to the official RFC 9116 documentation, here are some fields commonly included in a security.txt file:
- Contact: An email or phone number for reporting security issues.
- Expires: Date when the information should be reviewed or updated.
- Encryption: Link to a PGP or GPG public key for secure communication.
- Acknowledgements: A page recognizing researchers who have responsibly disclosed issues.
- Policy: Link to your security policy, if applicable.
- Hiring: Optional link to career opportunities in security roles.
Example Fields Explained
Contact: This is the primary email or URL for receiving reports. Ideally, this should be a monitored address specifically for security matters.
Expires: Adding an expiration date ensures the file is regularly reviewed and stays up-to-date. This should be formatted in ISO 8601 (YYYY-MM-DD) for consistency.
Encryption: If you want to receive encrypted reports, link to a public encryption key. For example, GnuPG provides tools for PGP keys.
Policy: If you have a published security policy, linking it here is highly recommended. This can help set expectations for researchers regarding your disclosure guidelines.
Additional Tips for Managing Your security.txt File
- Keep Information Updated: Regularly review and update your contact information and expiration date.
- Use Encryption: Include an encryption key if you expect sensitive information, such as a PGP key from Keybase.
- Monitor the Contact Email: Ensure the contact email is frequently monitored so you can respond to reports promptly.
security.txt and Your Website’s SEO
Implementing a security.txt file also demonstrates a proactive approach to site security, which can positively impact SEO indirectly. For instance, search engines increasingly value security as part of user trust signals. While a security.txt file itself might not directly improve rankings, it does contribute to an overall trustworthy website reputation, especially when combined with other security measures like HTTPS and a well-maintained robots.txt file.
References and Additional Resources
For more information on security.txt and best practices for web security, check out these resources:
- Mozilla Developer Network (MDN) on
security.txt - RFC 9116 Documentation
- Electronic Frontier Foundation (EFF) on Responsible Disclosure
By adding a security.txt file to your website, you’re taking a proactive step towards enhanced web security and building trust within the security community. This small addition can make a significant difference in how efficiently you address potential vulnerabilities, contributing to a safer internet for all.
Bonus: If you are a website owner, you should test that your website is fast and responsive from multiple location, read this guide to know how you can make sure of this.
