Security.txt and other files

Validating when webmaster has added security.txt or other files to the system.

This should be added to the admin section. Optional using occ.

Can you elaborate on your post?

I had added a .well-known directory and files like security.txt but the system (nextcloud) give errror reports that the files are corrupt. Some kind of checksum.

So you need it to get it somehow validated, so the files stay when updated.

Thus need some tool to do so.

Understand the issue now.
Nextcloud has an integrity check that checks if there are files in the installation directory that are not from Nextcloud.
This is a security feature.

If extra files are needed, then you can install Nextcloud in a subdirectory of the web server and not put the extra files there. This is an idea.

The question is:

How to add a security.txt file to Nextcloud without errors?

Via Webserver konfiguration. Example for nginx:

location ~ ^\/.well-known\/security\.txt$ {
  alias /path/to/your/security.txt/outside/of/your/nextcloud/path.txt;
}

Same works for Apache, but there the syntax is different.

1 Like

Nice try, but that doesn’t work. 403 error.

I noticed that in the .htacces file there is some directions on the .well-known dir.

RewriteEngine on RewriteCond %{HTTP_USER_AGENT} DavClnt RewriteRule ^$ /remote.php/webdav/ [L,R=302] RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L] RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L] RewriteRule ^remote/(.*) remote.php [QSA,L] RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L] RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L] RewriteRule ^ocm-provider/?$ index.php [QSA,L] RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]

Nothing about a security.txt file.

Entering:
https://cloud.robkalmeijer.nl/.well-known/security.txt

Gives:

Contact: HackerOne
Expires: 2025-02-28T23:00:00.000Z
Acknowledgments: HackerOne
Acknowledgments: Security Advisories · nextcloud/security-advisories · GitHub
Policy: HackerOne
Preferred-Languages: en

https://en.internet.nl/ gives error for security.txt:

Verdict:

Your web server offers a security.txt file in the right location and its content is syntactically valid. However, there are one or more recommendations for improvement.

Technical details:

Web server IP address Findings
86.90.148.127 security.txt retrieved from cloud.robkalmeijer.nl.
Recommendation: security.txt should be digitally signed.

Is this for real?

Rob.