Test for 'security.txt' does not follow redirect?

[mejofi]

Version: 1.1.1

It looks like the 'Security.txt exists and is a text file that contains required attributes' test does not follow redirects. Like, for example, when test.example is used as the domain, and https://test.example/.well-known/security.txt redirects to https://www.test.example/.well-known/security.txt, the test fails.

Since other tests do seem to follow redirects, and the spec suggests [1] that redirects can be expected, perhaps it would be possible to follow them here as as well?

Cheers!

[1] https://www.rfc-editor.org/rfc/rfc9116#name-location-of-the-securitytxt

[sesh]

Thanks for the report, and thanks for checking out this tool!

I've just tested this with "www.github.com" as the domain and I'm seeing what I expect here.

https://www.github.com/.well-known/security.txt redirects to https://github.com/.well-known/security.txt which has valid content. Under the hood here the HTTP library (urllib) should follow 3xx redirects automatically.

If you could, would you be able to share the output of curl -i for the security.txt file that you are expecting to redirect? Perhaps it's not a standard redirect for some reason.

> curl -i https://www.github.com/.well-known/security.txt
HTTP/2 301
content-length: 0
location: https://github.com/.well-known/security.txt

[mejofi]

Hmm, I'll verify with a different domain, perhaps I overlooked something somewhere.

[mejofi]

Closing this ticket, think it was something on our side 🤔