Security.txt -file generator (RFC 9116)
I just created my first application with Golang. I am pretty sure that the code is ugly, but it works :)
What is Security.txt
Security.txt is based on RFC 9116 and nowadays it has been implemented by various companies. The idea is to create a file that can be distributed on a website, from a predefined address ( https://xxx.test/.well-known/security.txt). The content of the file tells how the organisation can be contacted if security problems and vulnerabilities are found in the organisation’s services.
Quote from Securitytxt.org
“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”
Example of Google’s security.txt (RFC non-compliant).
Security.txt Usage in 2022
Red maple techologies created a survey from an aggregated list of the top 1 million visited websites based on several datasets + most valuable companies in UK and US + several financial companies based in UK.
99,63% of top 1M websites doesn’t use security.txt file. The columns indicate which fields are used.
The results show that 5 websites have a security.txt -file, while 95 do not.
The results show that 18 (3.6%) have a security.txt -file, while 472 (96.4%) do not.
The survey shows that the adoption of security.txt is slow. But hopefully more and more organisations will adopt this to make it easier to get in touch when security problems arise.
Since I want to share the joy of security.txt file with the world, I made a small program that generates and optionally signs the file easily and conveniently. You can put it for example in the CI/CD release pipeline. The Golang application can be found from Github.
This was my first “real” Go-application, and it looks like it :)