Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Brian Emke 4 posts 74 karma points
    Jul 25, 2023 @ 18:49
    Brian Emke
    0

    adding a security.txt file

    Has anyone added a security.txt file to their website?

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Jul 26, 2023 @ 11:22
    Huw Reddick
    0

    No, it is an open invitation to get spammed :)

  • Brian Emke 4 posts 74 karma points
    Jul 26, 2023 @ 13:21
    Brian Emke
    0

    Thank you for responding!

    Yes, I can see how publishing an email address on a website (even if it's buried in a text file with no links to it on the website) will lead to an increased risk of email abuse, especially an address related to security or support. For a personal website or even a small business this would pose a waste of time and effort if a well functioning email antispam/antiphishing tool or service isn't in place.

    The contact section of a security.txt file does let you provide a list of contact means that can be used in addition to or in place of an email address. These could be phone numbers or even a URI to a web form that could be filled out, captcha validated, and submitted--allowing for more information to be gathered on first contact.

    Of course, these other means of contact can be abused, too.

    Other than the spam issue, what to you think about the idea of improving cybersecurity reporting and dialog within an organization or between an organization and its clients/vendors?

  • Lee Kelleher 4026 posts 15836 karma points MVP 13x admin c-trib
    Jul 26, 2023 @ 12:06
    Lee Kelleher
    0

    I manually added one on my own website, (not using Umbraco), but I'd been noticing many 404 requests for the URL in my logs, so decided to add it - for what it's worth. 🤷‍♂️

    https://leekelleher.com/.well-known/security.txt

    I'd opted to point to the URL to my contact page, as opposed to give out my email address directly.

    In terms of Umbraco specific, I'd seen that Erik-Jan Westendorp has been working on a package, but as far as I'm aware it hasn't been released yet. https://github.com/erikjanwestendorp/Our.Umbraco.SecurityTxt

    Hope some of this helps?

    Cheers,
    - Lee

  • Brian Emke 4 posts 74 karma points
    Jul 26, 2023 @ 13:42
    Brian Emke
    0

    Thanks for responding, Lee!

    I'd noticed its not easy to create the .well-known directory or even place the txt file at the Umbraco-based website's root. But I'm an Umbraco noob so perhaps I need a bit more training.

    Thanks for providing the link to Erik-Jan's work. I'll check that out.

    I'm not a security researcher but having personally gone though the hassle of reaching out to a large organization to report a security issue with a web server being abused in a phishing campaign I believe this is an area that should be improved. It shouldn't take many dead end phone calls just to reach a person responsible for corporate cybersecurity.

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Jul 26, 2023 @ 13:46
    Huw Reddick
    0

    I found the easiest way of creating the ".well-known" folder is by using an ftp client to create it. There are ways to do it in IIS but not that easy :) (windows doesn't like folders starting with a "."

  • Brian Emke 4 posts 74 karma points
    Jul 26, 2023 @ 13:48
    Brian Emke
    0

    Thank you, Huw!

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Jul 26, 2023 @ 14:07
    Huw Reddick
    0

    You should also be able to just add in in your VS project and publish it

    enter image description here

Please Sign in or register to post replies

Write your reply to:

Draft