How to Configure Security.txt in Magento 2?

If you treat your website security as a top priority, then you'll be able to run your business seamlessly and provide a flawless customer experience. As a store owner, you know that there are lots of files and clients' data that have to be kept safe. 

Fortunately, Magento 2 provides you with a lot of features to improve general security and avoid any kinds of violations. But, unfortunately, those are not always enough. And that's when you need the security.txt to streamline vulnerability reporting.

If you don't know what security.txt is, don't worry. We've got you covered.

In this article, we'll explain everything you need to know about security.txt and how you can configure it in Magento. 

What is Security.txt?

Security.txt is a security tool that allows gathering data about security contacts and policies of your website in one file. It is used by researchers who need to contact you to report security vulnerabilities. 

Security.txt gives quick access to important files and contacts of people responsible for the security of your store. So, it serves as a great way to adjust communication channels without any information being lost. 

This mechanism is already employed by large companies like Amazon, Google, Facebook, and also the UK government's Ministry of justice. 

So, if you don't use it already, you have to configure security.txt in your Magento 2 store as well. Just follow the steps below. 

How to Configure Security.txt in Magento 2?

1. Go to Stores > Settings > Configuration > Catalog > Secutity.txt.

2. Expand the General section and Enable it. It will create the security.txt file with all the required info you fill in in the next two sections.  

Enable Security.txt in Magento 2

3. Move to the Contact Information and complete the following fields:

  • Email to which the reports on security should be sent to.
  • Phone that can be used to share info about safety weaknesses.
  • Contact Page, where you have to add a link either to your website page with the security contacts or to your Contact Us page. 

How to Set Up Security.txt in Magento 2?

4. Fill in the Other Information, to provide more details:

  • Encryption — a link that leads to the encryption key, however, the encryption key itself shouldn't be written here. 
  • Acknowledgments — a URL to your website page, where researchers are acknowledged and praised for their contribution.

Note: it is recommended not to dive deep into the details about the security issues in the acknowledgments, just short general info will be enough. 

  • Preferred Languages — specify the languages you want security reports to be performed in. You have to use two character language symbols separated with commas. 
  • Hiring — a link to your website page that lists security-related positions.
  • Policy — a URL that leads to the page with the security policies of your store. 
  • Signature — a link to the file which contains your digital signature.

Security.txt Configuration

If you want to create the signature file, then you have to use the command line:

gpg -u KEYID --output security.txt.sig --armor --detach-sig security.txt

The signature file has to be saved on the server in the .well-known folder. 

5. Don't forget to press the Save Config button. 

And that's all you have to do to configure security.txt in Magento 2. You have to take just a few steps to create a file with all the security-related info needed for the researchers to report the security vulnerabilities of your store.

Be sure that thanks to this reporting channel no safety issues will be left unreported.

However, it doesn't mean you have to rely on that reporting only. Check out the best Magento admin security practices to avoid any vulnerabilities from appearing in the first place.