Adding security.txt

Earlier in the year I wrote about adding humans.txt, a simple text file which can be used to list the humans involved in building the website.  I also use my file to list tools and services that have I have to build and run my website.

There is also a reasonably new initiative out there to add a security.txt file as well.  They describe this very concisely as…

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

So as it says, this lists things like contact details, link to security policy, encryption keys in case you need to send private data, that sort of information.  This means that if a security researcher was to find a problem with your site, they could easily and confidently get in touch with the right people (as you’ve listed them) to report the issue.  And you really want to have the issue reported to you, so that you can resolve it as soon as possible!

Unlike “humans.txt” which is supposed to live in the root folder, “security.txt” is supposed to sit in the “.well-known/” folder.  However, I decided to double up and put both files in both locations, like this…

Hopefully this makes them super easy to find, for those who are interested.