What is security.txt?

Security is all about tradeoffs. We all know we should be doing something about it in our application, yet, so few of us do. Strangely enough one of the higher impacting things you can do on that topic is not even technical: Providing a security contact page.

Creating and broadcasting a security page is an excellent way to get you started on the path to managing your application security. While writing such a security page is not that easy (we will cover that in a future article), the bigger bottleneck was to make this page easily accessible to the people that matter.

Until recently this was left to your own discretion. Developers would generally put a simple link in the footer of their website or the company about page. Others wouldn’t disclose any link to it but just have a page available at /security . We have even seen some developers burying that page in their website thus defeating the whole point of having a security page in the first place.

Enter the security.txt proposed standard. This standard created by a bunch of application security enthusiasts aims to help with this. This file placed in a known location ( /.well-known/security.txt ) is a way for you to publish the very essence of your policy and give a point of contact. It also enables you to refer people to your existing security page for further information.

The format of the file is highly inspired by the very well known robots.txt file. Here is an example:

Contact: security@sqreen.com Policy: https://www.sqreen.com/security

The community seemed to very much like this new standard and it seems to be

getting traction from plenty of places in the industry. Some tooling around it is already available in Go, PHP, and Node.

Security.txt for Ruby

We are also pleased to announce tools for Ruby, a language dear to many a Sqreen.io customers but also to yours truly. The gem ‘securitytxt’ includes a dedicated Rails engine, a Rack middleware, and a simple generator and parser.

Installation

Add this line to your application’s Gemfile:

gem 'securitytxt'

And then execute:

$ bundle

Using the Rails engine

Create an initializer with the policy you want to set:

# config/initializers/securitytxt.rb SecurityTxt.contact = "me@organization.com" SecurityTxt.encryption = "https://www.mykey.com/pgp-key.txt"

Using the Rack middleware

Add the middleware to your chain in your config.ru

require 'securitytxt' policy = { "contact" => "me@organization.com", "encryption" => "https://www.mykey.com/pgp-key.txt" } use SecurityTxt::Middleware, policy

Parsing a Security.txt

Simply passing a string should be enough to get data back

require "securitytxt/parser" require "open-uri" SecurityTxt::Parser.new.parse(open("https://securitytxt.org/.well-known/security.txt").read) # Outputs {"contact"=>"https://hackerone.com/ed", "encryption"=>"https://keybase.pub/edoverflow/pgp_key.asc", "acknowledgements"=>"https://hackerone.com/ed/thanks"}

Generating a Security.txt

require 'securitytxt/generator' puts SecurityTxt::Generator.new({"contact"=>"https://hackerone.com/ed", "encryption"=>"https://keybase.pub/edoverflow/pgp_key.asc", "acknowledgements"=>"https://hackerone.com/ed/thanks"}).generate # Outputs # # Contact: https://hackerone.com/ed # Encryption: https://keybase.pub/edoverflow/pgp_key.asc # Acknowledgements: https://hackerone.com/ed/thanks

Start adding your security.txt today on your applications. It’s easy and will ease any future responsible disclosure on your website. Interested in learning how to protect your Ruby on Rails app against injections? Check out this article we wrote.