disclose / dnssecuritytxt

A standard allowing organizations to nominate security contact points and policies via DNS TXT records.
https://dnssecuritytxt.org
MIT License
31 stars 7 forks source link

RFC9116 #11

Open mdavids opened 1 year ago

mdavids commented 1 year ago

The website says: "Just as security.txt can be deployed into either the root or the .well-known directory of a webserver,...", but with RFC9116 this is no longer true. RFC9116 says: "For web-based services, organizations MUST place the "security.txt" file under the "/.well-known/" path"

UPDATE: In "3 Location of the security.txt File" it says different, so I was wrong. Please close ticket.

oh2fih commented 1 year ago

The /.well-known/security.txt is the correct path, and /security.txt is allowed only for backwards compatibility.

A complete quote from RFC 9116 section 3:

For web-based services, organizations MUST place the "security.txt" file under the "/.well-known/" path, e.g., https://example.com/.well-known/security.txt as per [RFC8615] of a domain name or IP address. For legacy compatibility, a "security.txt" file might be placed at the top-level path or redirect (as per Section 6.4 of [RFC7231] ) to the "security.txt" file under the "/.well-known/" path. If a "security.txt" file is present in both locations, the one in the "/.well-known/" path MUST be used.

While the website could argue both are allowed, they should still be in reverse order:

Just as security.txt can be deployed into either the the .well-known directory or root of a webserver,...