Skip to content

TWA 0504

Jump to bottom Edit New page
Ulrich Berntien edited this page Sep 2, 2020 · 1 revision

TWA-0504

Message

"No security file found at: \${domain}/.well-known/security.txt"

In the message output the variable ${domain} is replaced by the checked domain. So ${domain}/.well-known/security.txt should be the URL of the security policies file.

Explanation

Each web site should contain a security policies file security.txt stored in the top-level directory .well-known in the root of the web site.

The file should contain contact information to a web site administrator. Security researchers can use the contact if they have found an issue on the web site or on the web server.

Remediation

Implement a process to handle security issues, e.g. an E-Mail address and persons which will read the messages and react.

Add a valid security.txt file into the .well-known directory of your web server. The file could be generated online: security.txt

See also the Internet-Draft: A File Format to Aid in Security Vulnerability Disclosure draft.

Add a custom footer

Clone this wiki locally