Cloudflare Adds Security.txt Setup Wizard

Cloudflare has added a new configuration wizard to its dashboard that allows users to quickly set up a security.txt file. This file format was proposed as a standard for aiding in security vulnerability disclosure. It defines a machine-parsable format where organizations can identify the proper reporting channels and define their security policies.

The setup wizard can be found under Security > Settings. It’s disabled by default.

Once enabled, Cloudflare users can use the form to create and manage a security.txt. It includes all the standard fields outlined in the security.txt specification, including contact information, encryption, policy, hiring, etc. It is saved by default to /.well-known/, which is the specified path for web-based services.

In 2020, Cloudflare launched support for the security.txt initiative through Workers, linking to their account on HackerOne for security reporting. They included a technical tutorial for deploying and updating the security.txt file through a non-trivial process but also open sourced the Worker itself for anyone who wanted to deploy this service onto their Cloudflare zone.

Prior to this new setup wizard, manual creation and configuration through a Worker was the most common way to set up the file.

This user-friendly implementation may help with adoption of security.txt, as Cloudflare sits in front of roughly 20% of the web. This file format has already been implemented by Google,  Facebook,  GitHub,  the UK government, and many other organizations. The new setup wizard is available on Cloudflare’s free plan, which may also help increase adoption of the initiative.

How to Set Up security.txt Without Attracting Spam Bots#

As security.txt is designed to be a machine-parsable file, it has naturally already attracted spam bots.

Clouflare’s new setting for enabling security.txt was first spotted in the wild by Troy Hunt, who tweeted about it. In response, several commenters noted that their own usage of security.txt has unfortunately come with spam bots sending template messages for bounties.

Similarly, others discussing the new feature on Mastodon said they have so far only had spam interactions after deploying a security.txt file.

Although the Contact field is required, the FAQs for security.txt states that the email value is optional. Those who don’t want to expose their email address to spam bots can elect to use a different contact method.

Cloudflare’s docs for the feature specify three different options:

(Required) Contact: You can enter one of the following to contact you about security issues:

• An email address: The email address must start with mailto:.
• A phone number: The phone number must start with tel:.
• A URL link: The URL link must start with https://.

The dashboard setting for this appears to have been soft launched but has not yet been officially announced. Cloudflare plans to publish more details about the new security.txt setup wizard soon.