security.txt location
Posted: Thu Aug 05, 2021 4:15 am
The site verification page says "Create a security.txt file and place it in the website root directory. Your security.txt file should contain the following string:"
The current draft IETF for security.txt (https://datatracker.ietf.org/doc/html/d ... ecuritytxt) states:
Location of the security.txt file
For web-based services, organizations MUST place the "security.txt"
file under the "/.well-known/" path; e.g. https://example.com/.well-
known/security.txt as per [RFC8615] of a domain name or IP address.
For legacy compatibility, a security.txt file might be placed at the
top-level path or redirect (as per section 6.4 of [RFC7231]) to the
"security.txt" file under the "/.well-known/" path. If a
"security.txt" file is present in both locations, the one in the
"/.well-known/" path MUST be used.
Does the platform follow this approach already? If so, I propose the text on the verification page is updated.
Thanks
The current draft IETF for security.txt (https://datatracker.ietf.org/doc/html/d ... ecuritytxt) states:
Location of the security.txt file
For web-based services, organizations MUST place the "security.txt"
file under the "/.well-known/" path; e.g. https://example.com/.well-
known/security.txt as per [RFC8615] of a domain name or IP address.
For legacy compatibility, a security.txt file might be placed at the
top-level path or redirect (as per section 6.4 of [RFC7231]) to the
"security.txt" file under the "/.well-known/" path. If a
"security.txt" file is present in both locations, the one in the
"/.well-known/" path MUST be used.
Does the platform follow this approach already? If so, I propose the text on the verification page is updated.
Thanks