Securing Laravel

Share this post

Security Tip: Publish a security.txt!

larasec.substack.com

Security Tip: Publish a security.txt!

[Tip#9] security.txt is a simple way to share your security contacts to make vulnerability reporting easier.

Stephen Rees-Carter
Dec 03, 2021
1
Share

The security.txt file is a new standard for defining the security policies of a website. It lives in the `/.well-known/` subdirectory and should be a publicly readable text file. The goal of a security.txt file is to make it simple for anyone wishing to report a security concern to get in contact with the right person quickly, without needing to dig through subpages and support docs to find the right email, or having to convince a support rep about an issue and jump through support hoops.

The best place to get started is: https://securitytxt.org/

There you will find a wizard to help you build your own security.txt file. Once you have the file, simply upload it to your site as: `/.well-known/security.txt`.

Securing Laravel is 100% reader-supported. Please consider subscribing to receive weekly Security Tips (like this one!), monthly In Depth articles, and to support my security work within the Laravel & PHP Community!

For example, this is the `security.txt` file on my site:
https://stephenreescarter.net/.well-known/security.txt

Contact: mailto:stephen@rees-carter.net
Contact: https://twitter.com/valorin
Expires: 2024-09-14T14:00:00.000Z
Encryption: https://keybase.io/valorin
Encryption: https://stephenreescarter.net/pgp-key.txt
Preferred-Languages: en

And the one on google.com:

Contact: https://g.co/vulnz
Contact: mailto:security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgements: https://bughunters.google.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobs

amazon.com:

Contact: https://hackerone.com/amazonvrp/reports/new
Hiring: https://www.amazon.jobs/en/teams/infosec

# Bug Bounty Policy:
Policy: https://hackerone.com/amazonvrp

# For vulnerabilities related to Amazon Web Services (AWS):
https://aws.amazon.com/security/vulnerability-reporting/

If you want to keep digging into more examples, Scott Helme maintains a list of sites in the Top 1 Million Sites which have a security.txt file: https://crawler.ninja/files/security-txt-sites.txt

⚠️ Want me to hack into your app and tell you how I did it, so you can fix it before someone else finds it? Book in a Laravel Security Audit and Penetration Test! 🕵️

👉 Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code! 🕵️

1
Share

No posts

Ready for more?

© 2024 Stephen Rees-Carter
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture
Share