Two days ago, I talked about adding a robots.txt file to your site to inform web crawlers like Googlebot for better Google search indexing of your website. Today, with this PR, I have added a security.txt file to blogthedata.com, giving security researchers a way to contact me about new web services vulnerabilities potentially affecting my site.
It’s easy to set this up yourself! You're adding two routes to your app containing information about how to contact you.
“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”
The first step is to fill out a form on https://securitytxt.org. The tricky part is the encryption section. It's asking for the public key of a GPG asymmetric key pair. There are smarter ways of generating keys, but I used this online PGP generator. Once you create the keys, you'll want to stash the private key somewhere safe and put your public key at a publically accessible endpoint.
About John Solly
I am a Senior Software Engineer with a focus on geospatial applications, based in the Columbus, OH metropolitan area. This blog is where I delve into the intricacies of GIS (Geographic Information Systems), offering deep dives into different components of the geospatial technology stack. For those who share a passion for GIS and its applications, you've found a spot to explore and learn.
Interested in collaborating or learning more about my work? Take a look at my portfolio for a showcase of my projects and expertise.