Securing Laravel

Share this post

Security Tip: security.txt

securinglaravel.com

Discover more from Securing Laravel

The essential security resource for Laravel devs, covering everything you need to keep your apps secure. Sign up to receive weekly security tips and monthly in depth articles, diving deep into security concepts you need to know!
Over 2,000 subscribers
Continue reading
Sign in

Security Tip: security.txt

[Tip#9] security.txt is a simple way to share your security contacts to make vulnerability reporting easier.

Stephen Rees-Carter
Dec 3, 2021
4
Share this post

Security Tip: security.txt

securinglaravel.com
Share

⚠️ Want me to hack into your app and tell you how I did it, so you can fix it before someone else finds it? Book in a Laravel Security Audit and Penetration Test! 🕵️


The security.txt file is a proposed standard for defining the security policies of a website. It lives in the /.well-known/ subdirectory and should be a publicly readable text file. The goal of a security.txt file is to make it simple for anyone wishing to report a security concern to get in contact with the right person quickly, without needing to dig through subpages and support docs to find the right email, or having to convince a support rep about an issue and jump through support hoops.

The best place to get started is the proposal at: https://securitytxt.org/

There you will find a wizard to help you build your own security.txt file. Once you have the file, simply upload it to your site as: .well-known/security.txt

Securing Laravel is 100% reader-supported. Please consider subscribing to receive weekly Security Tips (like this one!), monthly In Depth articles, and to support my security work within the Laravel & PHP Community!

For example, this is the security.txt file on my site:
https://stephenreescarter.net/.well-known/security.txt

Contact: mailto:stephen@rees-carter.net
Contact: https://twitter.com/valorin
Expires: 2024-09-14T14:00:00.000Z
Encryption: https://keybase.io/valorin
Encryption: https://stephenreescarter.net/pgp-key.txt
Preferred-Languages: en

And the one on google.com:

Contact: https://g.co/vulnz
Contact: mailto:security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgements: https://bughunters.google.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobs

amazon.com:

Contact: https://hackerone.com/amazonvrp/reports/new
Hiring: https://www.amazon.jobs/en/teams/infosec

# Bug Bounty Policy:
Policy: https://hackerone.com/amazonvrp

# For vulnerabilities related to Amazon Web Services (AWS):
https://aws.amazon.com/security/vulnerability-reporting/

If you want to keep digging into more examples, Scott Helme maintains a list of sites in the Top 1 Million Sites which have a security.txt file: https://crawler.ninja/files/security-txt-sites.txt

4
Share this post

Security Tip: security.txt

securinglaravel.com
Share
Previous
Next
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Stephen Rees-Carter
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing