背景与价值security.txt为外部研究人员提供标准化联系方式与政策声明,便于快速报告与协作。统一规范必备字段:`Contact`、`Expires`、`Policy`、`Acknowledgments`(可选)。路径:`/.well-known/security.txt`。格式:RFC规范要求每行一个字段与URL或邮箱。核心实现生成与校验(示意)type SecTxt = { contact: string[]; expires: string; policy?: string; acknowledgments?: string }
function validUrl(s: string): boolean { try { const u = new URL(s); return u.protocol === 'https:' } catch { return false } }
function validEmail(s: string): boolean { return /^[^\s@]+@[^\s@]+\.[^\s]+$/.test(s) }
function render(t: SecTxt): string {
const lines: string[] = []
for (const c of t.contact) lines.push('Contact: ' + c)
lines.push('Expires: ' + t.expires)
if (t.policy) lines.push('Policy: ' + t.policy)
if (t.acknowledgments) lines.push('Acknowledgments: ' + t.acknowledgments)
return lines.join('\n')
}
function valid(t: SecTxt): boolean {
if (!t.expires) return false
if (t.contact.length === 0) return false
for (const c of t.contact) if (!(validUrl(c) || validEmail(c))) return false
if (t.policy && !validUrl(t.policy)) return false
if (t.acknowledgments && !validUrl(t.acknowledgments)) return false
return true
}
落地建议在主域与相关子域发布security.txt并保持字段有效与定期更新。验证清单Contact/Expires/Policy是否齐备且格式有效;路径与可访问性是否正确。
发表评论 取消回复