Easy to set up and use security.txt for Enonic XP. You should consult securitytxt.org for details on Security.txt and how to best use it on your site.
The application is available through Enonic Market.
Open the Applications section of your Enonic XP installation. Click 'Install', and locate the 'Security.txt' app in the 'Enonic Market' tab. Now click the 'Install' button.
Build this app with gradle. In the terminal, from the root of the project, enter ./gradlew build. On Windows, just enter gradlew build
in the command line from the project root. Next, move the JAR file from build/libs to your $XP_HOME/deploy directory. The Security.txt
app will now be available to add to your websites through the Content Manager app.
Edit your site settings by clicking 'edit' on the site node in Content Manager. Select 'Security.txt' in the 'Applications' search box, and click to select it. It is now added to your site.
The app offers two different options for adding security.txt to your site. Either enter your information in text area provided by the 'Textarea' option or use the input fields available through the 'Input fields' alternative. The 'Textarea' provides the possiblity to add a PGP signature to the security.txt.
For more information regarding PGP-signature see section 2.3 of [RFC 9116]
You can add any of the available entries by entering text in the available input fields or by using the textarea option.
You should consult securitytxt.org for details on Security.txt and how to use it on your site. The "Contact" and "Expires" directive is not optional.
Textarea for adding comments if needed. Use a "#" followed by the comment and start each new line with "#". The comments are placed at the top to the security.txt files.
Add one or more ways that researchers MAY use for reporting security issues. The value can be an email address, a phone number and/or a contact page with more information. The "Contact:" directive MUST always be present in a security.txt file. URIs SHOULD be loaded over HTTPS. Security email addresses SHOULD use the conventions defined in section 4 of [RFC2142], but there is no requirement for this directive to be an email address.
Documentation for the Contact directive
This directive allows you to point to an encryption key that you want security researchers to use for encrypted communication. The Securitytxt app allows you to simply paste the key into the appropriate textarea, and will serve the key at a separate URI. The key MUST be loaded over HTTPS.
When it comes to verifying the authenticity of the key, it is always the security researcher's responsibility to make sure the key being specified is indeed one they trust. Researchers MUST NOT assume that this key is used to generate the signature file.
Documentation for the Encryption directive
With the Policy directive, you can link to where your security policy and/or disclosure policy is located. This can help security researchers understand what you are looking for and how to report security vulnerabilities.
Documentation for the Policy directive
This directive allows you to link to a page where security researchers are recognized for their reports. The page SHOULD list individuals or companies that disclosed security vulnerabilities and worked with you to remediate the issue.
Documentation for the Acknowledgments directive
The "Hiring" directive is for linking to the vendor's security-related job positions.
Documentation for the Hiring directive
The "Preferred-Languages" field can be used to indicate a set of natural languages that are preferred when submitting security reports. Enter language tags, for example: "en, es, fr".
Documentation for the Preferred-Languages directive
The "Canonical" field indicates the canonical URIs where the "security.txt" file is located, which is usually something like "https://example.com/.well-known/security.txt". When checked the canonical URIs will be added to the security.txt.
Documentation for the Canonical directive
The date and time when the content of the security.txt file should be considered stale (so security researchers should then not trust it). Choose between a auto-generated dynamic date or set a date.
Documentation for the Expires directive
This app is available in English and Norwegian. Language is automatically detected by Enonic XP and applied accordingly.
Read the entire spec and more at securitytext.org
| App version | XP version |
|---|---|
| 2.x.x | 7.10.0 |
| 1.0.x | 6.7.0 |
- Added textarea option. Enables the use of PGP-signed security.txt
- Added input fields for comments, preferred language and option to display canonical URLs
- Removed external signature input field
- Update for gradle to 8.3
- Update for maven from to maven-publish
- Support for "Expires" field
- Enonic XP 7 compatibility
- Empty input fields will now no longer output "undefined".
- Fixed norwegian titles for e-mail-label in app config form.
- Initial version