xstp
commented
2 years ago securitytxt is up but the htaccess rules probably block access. Still have to an exception rule.
Closed cookiemonster closed 1 year ago
xstp
commented
2 years ago securitytxt is up but the htaccess rules probably block access. Still have to an exception rule.
MrSeccubus
commented
2 years ago I suspect that .well-known is being intercepted by the BIT load balancers to issue letsencrypt certificates.
xstp
commented
2 years ago I suspect that .well-known is being intercepted by the BIT load balancers to issue letsencrypt certificates.
Could be the root cause! I had a small typo in there, so the PR I opened might fix it, otherwise we can still try to add a rule like:
RewriteRule ^\.well-known/.+ - [END]
if that fails, security.txt is also allowed on the root directory according to the RFC
MrSeccubus
commented
2 years ago No rewrite rules needed. I fixed it by creating the directory .well-known on the server and then in that directory creating a symlink to ../security.txt
This is now fixed from www and csirt for security.txt
@cookiemonster I do not have the power to manipulate DNS, suggest you create a tiket for the IT services team for that.
xstp
commented
1 year ago DNS probably has to be done on TransIP.
sT0wn-nl
commented
1 year ago security.txt also published in the DNS zones hosted on transip, for example:
dig TXT +short divd.nl | grep -v spf "security_contact=https://app.zerocopter.com/en/rd/f9afbf32-ce59-48ed-96f2-ac4410595aa4" "security_policy=https://www.divd.nl/security/"
i think this one can closed now.
MrSeccubus
commented
1 year ago Thanks @sT0wn-nl
Please add records for divd.nl and csirt.divd.nl