Drupal Security.txt File

Drupal Security.txt - Standardized Vulnerability Disclosure

Have you ever considered creating a Drupal security.txt file? The security.txt file is a standardized format meant to create a uniform approach for security vulnerability disclosure. The formatted text will generally include:

  • One or more contact methods to reach your security analysts directly
  • Date which the security.txt file should be considered expired
  • Public encryption key for secure communication
  • Direct links to your security policy and related security pages

https://securitytxt.org walks you through building a full security.txt file. However, the Security.txt Drupal module is the best option if you can’t or don’t want site administrators to access raw server files.

Configure the Drupal Security.txt Module

  1. Visit https://www.drupal.org/project/securitytxt.
  2. Log into Drupal and install the security module using the tar download link for your Drupal version.
  3. Click “Enable newly added modules.”
  4. Under “Security,” check the box for “Security.txt.”
  5. At the bottom, select “Install.”
  6. From the main navigation menu, select “People.”
  7. Select the “Permissions” tab.
  8. Give “View security.txt” permissions to anonymous and authenticated users.
    Security.txt Drupal module permissions
  9. At the bottom, select “Save permissions.”
  10. Select “Configuration” from the navigation bar.
  11. Under “System,” select “Security.txt.”
  12. At the top, select “Enable the security.txt file for your site.”
    Security.txt Drupal module settings
  13. You can add up to three contact methods. The first is an email address. Be cautious as this email address can easily be seen by anyone, including cyber attackers. If you add an email address, consider using one dedicated to receiving security reports (e.g. [email protected]) with a strong spam filter.
  14. You can add a phone number. Remember, this data can easily be parsed. Consider using a proxy service such as Google Voice or Signal (and ensure it doesn’t reveal your real number).
  15. The third and simplest option is to add a contact form URL. The contact form should have a CAPTCHA function and data input validation/sterilization features to mitigate spam and malware.
  16. You can add your public key URL if you’ve created a GPG Key for integrity.
  17. If you have a page explaining your security policy, add the security policy URL.
  18. If you want to show thanks and offer backlinks for people who’ve helped you resolve security issues, create a page listing them and add it here as the acknowledgements page URL.
  19. At the bottom, select “Save configuration.”

You can view the Drupal security.txt file at yourdomain.com/.well-known/security.txt. Your signature URL will be /.well-known/security.txt.sig.

Get the power and performance you need without additional configurations with our Drupal VPS Hosting.

J
Jacqueem Content Writer I

Technical writer focused on cybersecurity and musicianship.

More Articles by Jacqueem

Comments

It looks like this article doesn't have any comments yet - you can be the first. If you have any comments or questions, start the conversation!

Was this article helpful? Let us know!