Anyone here actually using security.txt? Built a quick validator

Posted by HealthArmor@reddit | sysadmin | View on Reddit | 5 comments

Hi,

I made a simple checker for security.txt files (RFC 9116).
Trying to see if this is something sysadmins actually use or care about.

Would you bother with this or ignore it?

[-]

IceCubicle99@reddit

I've only recently been implementing security.txt. Mainly because we're using Cloudflare and it was flagged as a recommendation.

I figured it couldn't hurt. I'm not sure how frequently people actually have researchers contact them based on the info.

[-]

HealthArmor@reddit (OP)

yes that’s exactly what I’ve been seeing as well, a lot of people only add it because Cloudflare, security scanners flag it or bug bounty platforms.

from what I’ve noticed it’s not really about volume of researchers reaching out, it’s more about not missing the ones who do try. especially if the file breaks or contact info goes stale

that’s kind of why I built this, “validate, fix and make sure it’s still working over time”

[-]

Relgisri@reddit

To validate what exactly ? The actual objects being there as by spec ?

Honestly I’ve seen many security.txt now and not all of them obey the spec, but I am glad they are there at least.

As there is almost 0 like broad interest in this, it’s a super nice topic - I assume having to verify it is kinda not interesting. Most of the times you probably create the actual text file in the website anyway where validation happens already.

[-]

HealthArmor@reddit (OP)

You’re right, most people don’t validate it after creating it, also I agree about obeying the specs part too.

What I kept seeing though wasn’t just spec issues but more like:

file disappearing after deploys
expired " Expires" fields Ex
redirects breaking the path
wrong location ( /security.txt instead of /.well-known/)

So it’s less about “is it valid once” and more like is it still correct over time”

That’s the part I built around, validation + monitoring + alerts.

[-]

Kumorigoe@reddit

Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator.

Do Not Conduct Marketing Operations Within This Community.

It is not acceptable to advertise a product, service, Blog or FOSS Project within this community outside of authorized threads.
It is not acceptable to perform product research or market research within this community without permission.
The Reddit advertising system exists to help you reach out to new or existing customers.
Product Representatives are free to discuss their product in the context of an existing, naturally-occurring discussion. Astroturfing is not permitted.
As always, users must disclose any affiliation with a product.
Content creators should refrain from directing this community to their own content.

Your content may be better suited for our companion sub-reddit: /r/SysAdminBlogs

If you wish to appeal this action please don't hesitate to message the moderation team.