security.txt is a widely spread standard of reporting security vulnerabilities to the service owners. The main goal of security.txt is to help both your clients and security researchers easily get in touch with you when they find a vulnerability in a Plesk domain.

Starting from version 18.0.62, Plesk Obsidian is fully compatible with the standard:

  • The security.txt file is generated for all domains hosted on a Plesk server.
  • Plesk will continuously maintain the security.txt file once it is created and the feature is enabled.
  • Plesk takes into account the custom security.txt file of a domain and never applies the security policies from the server file to the domain.
  • Plesk automatically updates the expiration date of the file.

To make your Plesk server security.txt compliant:

  1. Log in to Plesk.

  2. Install the “Native security.txt compliance” extension.

  3. Once the extension is installed, click Open.

  4. Select the “Enable compliance with the “security.txt” standard in Plesk” checkbox.

    image security txt extension

  5. (Optional) To modify the default security.txt file generated by Plesk, select the “Use the custom security.txt text” checkbox, and then specify what needs to be changed in the “Security.txt text” field that becomes available. You can also change the file from the command line.

  6. Save your changes by clicking:

  • Save to save the configuration and apply the changes manually later. For example, you may do it to give your clients extra time to reconfigure their domains in accordance with the changes to avoid possible issues. You can reconfigure the server manually by running the plesk repair web CLI command.
  • Save and Reconfigure if you want to apply the changes and reconfigure the Plesk server right now.

Now your Plesk server is security.txt-compliant.

Using the Command Line Utility

You can use the plesk ext security-txt-plesk command line utility to update your security.txt configuration. The utility accepts the following commands:

  • --help - This prints all available security-txt-plesk commands.

  • --status - This shows whether the Plesk server uses the security.txt policies. If you have enabled the default security.txt policy, this will return value: on. If you have enabled a custom security.txt policy or used a custom file path, this will return value: custom.

  • --enable - This sets all domains on your Plesk server to use the default security.txt policies. It will disable any custom file paths and the “Use the custom security.txt text” option in the extension menu.

  • --disable - This sets all domains on your Plesk server to ignore all security.txt policies.

  • -path - This sets a new file path for the security.txt file. To set a new path for a security.txt file, you must first have a security.txt file in the new file location.
    Note:

    For this command to work, you must first enable the “Use the custom security.txt text” option in the “Native security.txt compliance” extension menu. Then, you must include the --reconfigure-all command. For example, to use a custom security directory for your security.txt file, create the new file and directory, then use the following command: plesk ext security-txt-plesk -path /security/security.txt --reconfigure-all.

  • --reconfigure-all - This updates all domains on the Plesk server to use the new security.txt configuration.