Adding security.txt's to the largest websites in Sweden

Cybersecurity is a very hot topic these days. There are a lot of evil actors out there trying to break into your systems.

But there are also helpful security researchers that would report a security problem to the owner instead of exploiting it. If they only can find a way to get in touch.

Security.txt is a standard that make it easy to disclose security findings for web services. By placing a text file with the relevant contact details in a well known place on your website, it will be much easier for the good side to reach out and help you.

I have found myself on a personal (long term) mission to add security.txt files to all large Swedish websites. One site at a time.

A few years ago Hemnet was among the first in Sweden to get a security.txt.

Earlier this year we added it to the newspaper Sydsvenskan, along with some 35+ other local newspapers on the same technical platform.

And last week, inspired by their country cousins, the large Swedish newspaper Dagens Nyheter added a security.txt. Another step in the right direction.

I wonder which site will be next.

Additionally...

You might say that a text file doesn’t really improve security, and I agree in part.

But I also think that the real value is that adding a security.txt forces an organization to think through how security disclosures should be handled. And that can improve security.

A security.txt file must be placed in the /.well-known directory of a website and served using https.

Here are some examples:

If you want to know more about security.txt, both the background and the latest specification as well as a tool to generate your own file, you find everything at securitytxt.org.

The specification is also published as RFC 9116 since April 2022.

This text was originally posted on LinkedIn.