What is security.txt?
Security is all about tradeoffs. We all know we should be doing something about it in our application, yet, so few of us do. Strangely enough one of the higher impacting things you can do on that topic is not even technical: Providing a security contact page.
Creating and broadcasting a security page is an excellent way to get you started on the path to managing your application security. While writing such a security page is not that easy (we will cover that in a future article), the bigger bottleneck was to make this page easily accessible to the people that matter.
Until recently this was left to your own discretion. Developers would generally put a simple link in the footer of their website or the company about page. Others wouldn’t disclose any link to it but just have a page available at /security. We have even seen some developers burying that page in their website thus defeating the whole point of having a security page in the first place.
Enter the security.txt proposed standard. This standard created by a bunch of application security enthusiasts aims to help with this. This file placed in a known location (/.well-known/security.txt) is a way for you to publish the very essence of your policy and give a point of contact. It also enables you to refer people to your existing security page for further information.
The format of the file is highly inspired by the very well known robots.txt file. Here is an example:
Contact: security@sqreen.com
Policy: https://www.sqreen.com/security
The community seemed to very much like this new standard and it seems to be
getting traction from plenty of places in the industry. Some tooling around it is already available in Go, PHP, and Node.
Security.txt for Ruby
We are also pleased to announce tools for Ruby, a language dear to many a Sqreen.io customers but also to yours truly. The gem ‘securitytxt’ includes a dedicated Rails engine, a Rack middleware, and a simple generator and parser.
Installation
Add this line to your application’s Gemfile:
gem 'securitytxt'
And then execute:
$ bundle
Using the Rails engine
Create an initializer with the policy you want to set:
# config/initializers/securitytxt.rb
SecurityTxt.contact = "me@organization.com"
SecurityTxt.encryption = "https://www.mykey.com/pgp-key.txt"
Using the Rack middleware
Add the middleware to your chain in your config.ru
require 'securitytxt'
policy = {
"contact" => "me@organization.com",
"encryption" => "https://www.mykey.com/pgp-key.txt"
}
use SecurityTxt::Middleware, policy
Parsing a Security.txt
Simply passing a string should be enough to get data back
require "securitytxt/parser"
require "open-uri"
SecurityTxt::Parser.new.parse(open("https://securitytxt.org/.well-known/security.txt").read)
# Outputs {"contact"=>"https://hackerone.com/ed", "encryption"=>"https://keybase.pub/edoverflow/pgp_key.asc", "acknowledgements"=>"https://hackerone.com/ed/thanks"}
Generating a Security.txt
require 'securitytxt/generator'
puts SecurityTxt::Generator.new({"contact"=>"https://hackerone.com/ed", "encryption"=>"https://keybase.pub/edoverflow/pgp_key.asc", "acknowledgements"=>"https://hackerone.com/ed/thanks"}).generate
# Outputs
#
# Contact: https://hackerone.com/ed
# Encryption: https://keybase.pub/edoverflow/pgp_key.asc
# Acknowledgements: https://hackerone.com/ed/thanks
Start adding your security.txt today on your applications. It’s easy and will ease any future responsible disclosure on your website. Interested in learning how to protect your Ruby on Rails app against injections? Check out this article we wrote.
