Security.txt minimal api implementation

Easy implementation of security.txt with minimal api .net core

Learn why security.txt is a good practice to implement and how easy it can be done.

icon of user profile
By OMVP Luc Gosso

Published 20th march 2023

What is security.txt?

"Security.txt is a standard that allows website owners to define a security policy for their web application. It is a simple text file that contains information about how security issues should be reported, who to contact in the event of a vulnerability, and other relevant details.

The purpose of security.txt is to make it easy for researchers, ethical hackers, and other security professionals to report vulnerabilities and security issues to website owners. By providing a clear and concise method for reporting vulnerabilities, website owners can better protect their users and prevent security breaches.

Some of the key benefits of using security.txt include:

  1. It helps to establish clear lines of communication between website owners and security researchers. By providing a single point of contact for vulnerability reports, website owners can ensure that they receive important security information in a timely manner.

  2. It helps to improve the security of web applications by encouraging security researchers to report vulnerabilities. By making it easy for researchers to report vulnerabilities, website owners can identify and address security issues before they can be exploited by malicious actors.

  3. It demonstrates a commitment to security and transparency. By including a security.txt file on your website, you can show your users that you take security seriously and are committed to protecting their personal information.

Overall, security.txt is a simple and effective way for website owners to improve the security of their web applications and foster a culture of security and transparency."

- Chat GPT 2023

Implementation with minimal api .net core

Security.txt is supposed to be under path /.well-known/security.txt

It is acceptable to have it in the root dir but it should redirect to well-known path.

Add this into your program or startup.cs

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            var securitytxt = $"Contact: security@example.com\r\nExpires: Tue, 30 May 2038 13:19 +0200";

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(name: "Default", pattern: "{controller}/{action}/{id?}");
                endpoints.MapControllers();
                endpoints.MapContent();
                endpoints.MapGet("/.well-known/security.txt", () => securitytxt);
                endpoints.MapGet("/security.txt", () => securitytxt);
            });
        }​​

If you'd use Optimizely Content Cloud, you could easily add a property to startpage and make security.txt editorial:

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            var securitytxt = $"Contact: security@example.com\r\nExpires: Tue, 30 May 2038 13:19 +0200";

           var startpage = ServiceLocator.Current.GetInstance().Get(ContentReference.StartPage);
            if (startpage.Property.TryGetPropertyValue("SecurityText", out string txt))
            {
                securitytxt = txt;
            }

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(name: "Default", pattern: "{controller}/{action}/{id?}");
                endpoints.MapControllers();
                endpoints.MapContent();
                endpoints.MapGet("/.well-known/security.txt", () => securitytxt);
                endpoints.MapGet("/security.txt", () => securitytxt);
            });
        }​​

Content of the security.txt

Minimum example:

contact: https://www.example.com/contact/

With encryption key

contact: security@example.com
encryption: https://example.com/pgp-key.txt

Parameters

Contact can be an email or a link to a form
Encryption is public key that can be used to encrypt the report
Policy is link to your security policy and/or disclosure policy
Acknowledgment is for owners to give kudos to security reporters
Hiring is for security professional hiring openings
Signature is for path to .sig file, so you can sign the security.txt file

Who uses security.txt?

​​Many well-known companies are now using security.txt on their websites to improve their security posture and make it easier for security researchers to report vulnerabilities.

Here are a few examples:

  • Google: Google was one of the first companies to adopt security.txt, and their implementation is widely regarded as a model for other organizations to follow.

    Contact: https://g.co/vulnz
    Contact: mailto:security@google.com
    Encryption: https://services.google.com/corporate/publickey.txt
    Acknowledgements: https://bughunters.google.com/
    Policy: https://g.co/vrp
    Hiring: https://g.co/SecurityPrivacyEngJobs
  • GitHub: GitHub's security.txt file includes detailed instructions on how to report vulnerabilities in their platform, as well as a link to their bug bounty program. Mozilla: Mozilla's security.txt file provides information on their security policies and procedures, as well as a contact email for security researchers.

    Contact: https://hackerone.com/github
    Acknowledgments: https://hackerone.com/github/hacktivity
    Preferred-Languages: en
    Canonical: https://github.com/.well-known/security.txt
    Policy: https://bounty.github.com
    Hiring: https://github.com/about/careers
    Expires: 2023-04-18T19:45:23z
  • Facebook: uses security.txt to provide clear guidance on how to report security vulnerabilities in their products and services.

    Contact: https://www.facebook.com/whitehat/report/
    Acknowledgments: https://www.facebook.com/whitehat/thanks/
    Hiring: https://www.facebook.com/careers/teams/security/
    
    # Found a bug? Our bug bounty policy:
    Policy: https://www.facebook.com/whitehat/info/
    
    # What we do when we find a bug in another product:
    Policy: https://www.facebook.com/security/advisories/Vulnerability-Disclosure-Policy
    
    Expires: Tue, 18 Apr 2023 12:48:46 -0700
  • Dropbox: Dropbox's security.txt file includes contact information for their security team and instructions on how to report security vulnerabilities in their platform.

    # Dropbox uses Bugcrowd for responsible disclosure.
    # Please report abusive content (including malware, spam, etc) to abuse@dropbox.com.
    Contact: https://bugcrowd.com/dropbox/
    Acknowledgements: https://bugcrowd.com/dropbox/hall-of-fame
    Policy: https://bugcrowd.com/dropbox/
    Hiring: https://www.dropbox.com/jobs/search?q=security

These are just a few examples of the many companies that have implemented security.txt on their websites. By doing so, they are demonstrating their commitment to security and making it easier for researchers to report vulnerabilities, which ultimately benefits both the companies and their users.

​​Resources

About the Author

Luc Gosso

OMVP Luc Gosso

– Independent Senior Web Developer
working with Azure, AI and Optimizely