Has anyone requested your security.txt file yet?

Forum Moderators: phranque

Message Too Old, No Replies

Has anyone requested your security.txt file yet?

SumGuy

12:57 am on Aug 27, 2021 (gmt 0)

Way back on April 11, 2018 I had an http request from 66.240.236.119 (aka census6.shodan.io) for /.well-known/security.txt. I believe that was the first time to ever see a request for that file. On Aug 12 (so about 2 weeks ago) I had an http and https request for

/.well-known/security.txt
/security.txt

from 122.199.32.25 (what-ever.ip4.superloop.com) with user-agent Go-http-client/1.1

I blocked that /24 after seeing that. I note yesterday that same IP tried to make an http/https request - for what I don't know because the request was dropped, but I suspect it was again for security.txt. Who or what is behind that IP making the request, I don't know.

But that motivated me to look into the security.txt file. I might create one, maybe put an ascii-art hand gesture in it.

Anyone else getting requests for that file?

lucy24

2:29 am on Aug 27, 2021 (gmt 0)

:: detour to raw logs ::

Goodness, what a lot of them. Many robots seem to like making paired requests: /security.txt followed by /.well-known/security.txt. And every last one received a 403, tralala.

:: further inspection of various htaccess files ::

My own rule is to serve a manual 404 on everything in /.well-known/ except the /acme-challenge/ verification file. But the host has insisted on putting in an htaccess of their own, returning a 403 in the same circumstances. (But, but, splutter, what happens if I need to put something else in /.well-known/ ?)

:: final inspection of logged headers ::

Bah. They would all have received a 403 anyway, thanks to assorted header deficits.

What would be in security.txt if a site had one?

graeme_p

9:43 am on Aug 27, 2021 (gmt 0)

It is for contact details for security reports.

tangor

7:21 am on Aug 29, 2021 (gmt 0)

I get lots of requests. Since I don't have one it results in 404s.

csdude55

4:24 am on Sep 2, 2021 (gmt 0)

This is a new one for me, but apparently it's a real thing:

[securitytxt.org...]

I was blocking it via CONF and giving them a forbidden... whoops! LOL