Add security.txt file #1589
Add security.txt file #1589
Conversation
security.txt (https://securitytxt.org/) files are getting an accepted industry standard and it would be beneficial to adopt this standard for Node.js Web site as well. This addition to the Web site has already been endorsed by the Security WG: nodejs/security-wg#143
server.js
Outdated
| @@ -89,6 +96,7 @@ statics.on('add', (filePath) => { | |||
|
|
|||
| // Initializes the server and mounts it in the generated build directory. | |||
| http.createServer((req, res) => { | |||
| if (wellknown(req, res)) return | |||
There was a problem hiding this comment.
This server is only used for development so I'm not sure if it's worth adding. In production the site is served by NGINX.
There was a problem hiding this comment.
Then in production it would be good to add /security.txt -> /.well-known/security.txt redirect as recommended by the spec and employed by a couple of bigger sites on the Web.
There was a problem hiding this comment.
Yes, it should be added here: https://github.com/nodejs/build/blob/master/setup/www/resources/config/nodejs.org
There was a problem hiding this comment.
@lpinca security.txt should be in the repo, file would be served in production like our static files.
We just need to add
location /security.txt {
alias /home/www/nodejs/.well-known/security.txt;
default_type text/plain;
}
in the nginx config.
There was a problem hiding this comment.
Yes exactly that's what I was suggesting.
There was a problem hiding this comment.
Wouldn't mind it at all. Keeps things simple. 👍
There was a problem hiding this comment.
OK, so the bottom line is to put security.txt into the static folder and handle /security.txt and /.well-known/security.txt in NGINX config and get rid of everything else in server.js and build.js?
There was a problem hiding this comment.
Thanks for all the feedback, I will make a change and submit a second PR against nodejs/build.
There was a problem hiding this comment.
Thanks for all the feedback, I will make a change and submit a second PR against nodejs/build.
NGINX configuration in the nodejs/build repo will be updated to serve this file on URLs recommended in the specification.
|
I left the bare All feedback appreciated! |
|
Thank you! |
|
My pleasure! |
security.txt (https://securitytxt.org/) files are getting an accepted industry standard and it would be beneficial to adopt this standard for Node.js Web site as well.
This addition to the Web site has already been endorsed by the Security WG.
This PR resolves nodejs/security-wg#143.