Security.txt
01 Nov 2023
Table of Contents
Introduction
As an ongoing efford to improve my site, it came to my attention that I forgot an import file: security.txt. According the specification RFC-9116 each site should contain one.
This implies that I also require one. So time to implement.
Implementation
First I need to find how to implement. According the specifications, the file should be located in the .well-known folder. This folder cannot be created in GitHub pages and Jekyll. So a different solution has to be found.
Doing some DuckDuckGo search I found a solution: https://maxchadwick.xyz/blog/the-well-known-folder-and-github-pages-jekyll
So I created my own implementation in /security.txt:
---
layout: none
permalink: .well-known/security.txt
---
This is an good start. Time to fill the content:
Contact: mailto:security@mrbussy.eu
Expires: 2024-12-30T23:00:00.000Z
Encryption: openpgp4fpr:112AF5458E55B1D08CA30537923EAC2A4EAB7F6B
Preferred-Languages: en, nl
Canonical: https://mrbussy.eu/.well-known/security.txt
This is a good next step. However, I want to add a gpg-sign so that you can verify the authenticity of the file. As I use Emacs as my editor, it was quite simple to implement:
- Select the region with the text (forget the header part)
- Call
(epa-sign-region)
Now it is time to commit, create this blog post and submit to GitHub.