Internet.nl icon indicating copy to clipboard operation
Internet.nl copied to clipboard
verified publisher icon internetstandards

No hint when only using legacy security.txt location

Open janwillemstegink opened this issue 1 year ago • 2 comments

https://en.internet.nl/site/metaregistrar.com/2964873/

image

https://www.hostingtool.nl/server_headers/index.php?url=metaregistrar.com

image

janwillemstegink avatar Sep 20 '24 17:09 janwillemstegink

Example report with ✅ security.txt and no :information_source: informational hint about using legacy: https://internet.nl/site/legacy-sectxt.broersma.com/2965249/#siteappsecpriv In this case there only is content on the legacy location /security.txt (https://legacy-sectxt.broersma.com/security.txt) while /.well-known/security.txt is a 404 (https://legacy-sectxt.broersma.com/.well-known/security.txt).

Related:

  • This was discussed earlier in https://github.com/internetstandards/Internet.nl/issues/1084#issuecomment-1883950208: RFC 9116 states:

    3. Location of the security.txt File

    For web-based services, organizations MUST place the "security.txt" file under the "/.well-known/" path, e.g., https://example.com/.well-known/security.txt as per [RFC8615] of a domain name or IP address. For legacy compatibility, a "security.txt" file might be placed at the top-level path or redirect (as per Section 6.4 of [RFC7231]) to the "security.txt" file under the "/.well-known/" path. If a "security.txt" file is present in both locations, the one in the "/.well-known/" path MUST be used.

    So the legacy location MUST be ignored it's also found in "/.well-known/", therefore I don't think we should do compares (also quite complex, the content could also be 'the same' but ordered differently). I would tend to agree a legacy location could give an ℹ️ informational.

bwbroersma avatar Sep 20 '24 22:09 bwbroersma

Eg. ah.nl: Extra information of a legacy security.txt that can easily be redirected to the .well-known security.txt

https://www.hostingtool.nl/server_headers/index.php?url=ah.nl image

janwillemstegink avatar Oct 08 '24 15:10 janwillemstegink

So currently it is ✅: https://dev-docker.internet.nl/site/legacy-sectxt.broersma.com/31676/#control-panel-31

While @baknu and I noticed there is this code: https://github.com/internetstandards/Internet.nl/blob/d75c0f818afad7ae3bd3c142f27f7c4b645df218/checks/tasks/securitytxt.py#L110-L111

It is there but it is never triggered.

bwbroersma avatar Nov 29 '24 10:11 bwbroersma

🎉 Fixed, see re-test. Thanks @WKobes for the late Friday patch.

bwbroersma avatar Dec 02 '24 15:12 bwbroersma