Secure Website With security.txt: Fight Web Vulnerabilities

Two days ago, I talked about adding a robots.txt file to your site to inform web crawlers like Googlebot for better Google search indexing of your website. Today, with this PR, I have added a security.txt file to blogthedata.com, giving security researchers a way to contact me about new web services vulnerabilities potentially affecting my site.

It’s easy to set this up yourself! You're adding two routes to your app containing information about how to contact you.

https://blogthedata.com/pgp-key.txt

https://blogthedata.com/.well-known/security.txt

“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”

https://securitytxt.org

The first step is to fill out a form on https://securitytxt.org. The tricky part is the encryption section. It's asking for the public key of a GPG asymmetric key pair. There are smarter ways of generating keys, but I used this online PGP generator. Once you create the keys, you'll want to stash the private key somewhere safe and put your public key at a publically accessible endpoint. 

Add a security.txt file to your website and join companies like Google, Facebook, and Github to make the web safer for everyone.