Security.txt

A module which allows a drupal site to serve a security.txt file and provides a friendly administration user interface.

Introduction

The Security.txt module provides an implementation of the security.txt standard which is currently a draft RFC. Its purpose is to provide a standardized way to document your website’s security contact details and policy. This allows users and security researchers to securely disclose security vulnerabilities to you.

Installation

This module should be installed in the usual way, see installing modules.

Configuration

Once you have installed this module you will want to perform the
following configuration.

Permissions

You control the permissions granted to each role at /admin/people/permissions. You will almost certainly want to give everyone the 'View security.txt' permission, i.e. give it to both the 'Anonymous User and 'Authenticated User' roles.

You will only want to give the 'Administer security.txt' permission to very trusted roles.

Security.txt configuration

The Security.txt module configuration page can be found under 'System' on the Drupal configuration page. Fill in all the details you want to add to your security.txt file, then press the 'Save configuration' button. You should then proceed to the 'Sign' tab of the configuration form.

Security.txt signing

You can provide a digital signature for your security.txt file by following the instructions on the 'Sign' tab of the module’s configuration page.

Use

Once you have completed the configuration of the Security.txt module your security.txt and security.txt.sig files will be available at the following standard URLs:

• /.well-known/security.txt
• /.well-known/security.txt.sig

Backdrop Port

There is a backdrop port of this module.

Further reading

• Learn more about the security.txt standard.
• Read the draft RFC.