Security-wg: security.txt file on nodejs.org

Created on 5 Mar 2018  路  9Comments  路  Source: nodejs/security-wg

security.txt files (https://securitytxt.org/) are getting popular these days and I think they are fairly useful in reducing friction in reporting security problems.

I think putting such a file on nodejs.org Web site would not hurt. What do you think about generating and uploading such a file on the Web site?

Most helpful comment

@bnb That's relatively new, but it's emerging pretty fast. Also:

All 9 comments

Yes, this needs to be done imo.
/cc @nodejs/website @nodejs/security.

That's a great idea.

I love it. Curious how widely used security.txt is in production?

@bnb That's relatively new, but it's emerging pretty fast. Also:

+1 for security.txt. I think it could look like this -

Contact: [email protected]
Policy: https://nodejs.org/en/security/
Contribute: https://github.com/nodejs/security-wg :)

Although it is supposed to be in the /.well-known path, it would be great to create an alias to put it in the root as well (just like robots.txt). Facebook has done it too (https://www.facebook.com/security.txt).

The spec actually recommends the redirect from the root to /.well-known:

https://tools.ietf.org/html/draft-foudil-securitytxt-03#section-4.1

PR nodejs/nodejs.org#1589 submitted against the Node.js Web site repo.

The PR 鈽濓笍has been merged. We now need the PR to update NGINX configuration to be merged: nodejs/build#1181.

Both PRs have been merged, the file has been up on the site for some time now and all seems to be working fine. Closing.

Was this page helpful?
0 / 5 - 0 ratings