Closed mejofi closed 5 months ago
Thanks for the report, and thanks for checking out this tool!
I've just tested this with "www.github.com" as the domain and I'm seeing what I expect here.
https://www.github.com/.well-known/security.txt
redirects to https://github.com/.well-known/security.txt
which has valid content. Under the hood here the HTTP library (urllib) should follow 3xx redirects automatically.
If you could, would you be able to share the output of curl -i
for the security.txt file that you are expecting to redirect? Perhaps it's not a standard redirect for some reason.
> curl -i https://www.github.com/.well-known/security.txt
HTTP/2 301
content-length: 0
location: https://github.com/.well-known/security.txt
Hmm, I'll verify with a different domain, perhaps I overlooked something somewhere.
Closing this ticket, think it was something on our side 🤔
Version: 1.1.1
It looks like the 'Security.txt exists and is a text file that contains required attributes' test does not follow redirects. Like, for example, when
test.example
is used as the domain, andhttps://test.example/.well-known/security.txt
redirects tohttps://www.test.example/.well-known/security.txt
, the test fails.Since other tests do seem to follow redirects, and the spec suggests [1] that redirects can be expected, perhaps it would be possible to follow them here as as well?
Cheers!
[1] https://www.rfc-editor.org/rfc/rfc9116#name-location-of-the-securitytxt