Can I add a "/.well-known/security.txt" to my Shopify store?

Winbox
Excursionist
28 6 8

Hi all,

Is there any way I can add my own /.well-known/security.txt into my Shopify store? It is an industry standard and I need a way to implement this.

Examples:

The resulting URL would be something like: https://my-store.myshopify.com/.well-known/security.txt 
Or with a domain: https://my-store.com/.well-known/security.txt

If anyone has any advice on this, that would be most appreciated.

Thank you!

Replies 8 (8)

ScottStevens_GM
Tourist
11 0 6

Hi,

 

We've come across the need to do this. Did you find a solution?

 

Many thanks,
Scott

Winbox
Excursionist
28 6 8

Unfortunately, I have not found a solution. I figured it is something that only the Shopify developers can implement this for all stores.

diego_ezfy
Shopify Partner
2935 562 883

@Winbox 

Firstly, please allow me to kindly correct your statement.
It's not an industry standard, at least not yet.

It's still an internet-draft. In other words, it's currently being taken under consideration whether it should be something to be widely implemented (and subsequently perhaps considered as a good practice/standard in web development) or not.

It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."


Reference for the security.txt informational document itemizing its objective plus the above cited paragraph can be found here.

Secondly, security.txt is not useful for an e-commerce platform like Shopify.

In general it is (would be) useful only for websites built from the ground up hosting their own servers and potentially doing bug bounty programs, which is essentially when a website offers a financial compensation for hackers who can find and report security breaches on their websites. As you have shared yourself, you can see that most big companies do make use of it since the vast majority run bug bounties.

Anyhow, when a security flaw is found within the Shopify ecosystem they wouldn't want to report it to one of its clients, and yes to Shopify itself.
This reinforces the lack of necessity of adding a security.txt file to their clients' stores.

Therefore, in conclusion, I don't think you'd need a security.txt in your Shopify website. Plus, answering to your original question, I don't think it's possible either.

If I'm lacking any information or have shared something that is not congruent please do let me know and correct me.

Kind regards,
Diego

◦ Follow my blog & youtube for coding tutorials. Most questions in here are already answered there!
◦ Top #4 Shopify Expert, 24h reply. Click here to hire me.
Download copy/paste code snippets that can replace most apps.

PixelDevelopers
Visitor
1 0 0

I think your missing the point. This site location IS a very well recognised area and is used for all sorts of information and meta data. It is common for this area to be used on a website, as you say, it is more common for this to be used for sites built for the ground up.

However, some third party companies use this area for meta data and other validation checks. For example, Apple Pay requires to store a file in this area. I have found the need to upload a file here in Shopify to allow these types of payments to be used. So your argument is slightly flawed or outdated. I agree in Shopify it wouldn't be considered an important part, as apps wouldn't need this as they work in a different way.

"These “well-known locations”, “/.well-known/”. The directory location /.well-known isn’t a coincidence, it’s the result of a carefully considered RFC. This directory can be used for all kinds of information discovery."

Shopify is very restricted and lacks so many things a developer that works outside of Shopify would need, such as directory management, a typical developer would want to develop a website and manage secure integrations in the back end aswell. 

diego_ezfy
Shopify Partner
2935 562 883

@PixelDevelopers 

Apple Pay requires to store a file in this area

Interesting, I was not aware of it. Can you please forward me to the official reference where they state this? And why do they need to store a file in this area? What do they store in it? What's the purpose of it? 

I have found the need to upload a file here in Shopify to allow these types of payments to be used.

Which file did you need to upload? Apple pay is built in Shopify by default. What was the purpose of the file(s) that you uploaded or had to upload?

So your argument is slightly flawed or outdated.

Why exactly? My argument is founded upon their latest official publicly available document, which expires on 24 February 2021. Where can I find a most updated and reliable source?

"These “well-known locations”, “/.well-known/”. The directory location /.well-known isn’t a coincidence, it’s the result of a carefully considered RFC. This directory can be used for all kinds of information discovery."


You are quoting a blog post, not an official source.
I can't take that as an ultimate truth.

In addition, this source was last updated in March 2016, and the github  Mattias Geniar mentions in his blog post is deprecated, which means it is outdated and shall not be taken into consideration.

a typical developer would want to develop a website and manage secure integrations in the back end aswell. 

No, I disagree.

Being a billion dollar business Shopify most definitely has got security covered, maintained and constantly updated.

Opening the possibility to customize the back-end would add an unnecessary layer of complexity & high potential security breaches, since developers are humans as well and are prone to mistake. That is beyond the scope of what Shopify offers: an easy to use, "batteries included" online shop to sell your products. Simple as that.

More complex alternatives should be built from scratch or on other platforms that provide greater flexibility.

Kind regards,
Diego

◦ Follow my blog & youtube for coding tutorials. Most questions in here are already answered there!
◦ Top #4 Shopify Expert, 24h reply. Click here to hire me.
Download copy/paste code snippets that can replace most apps.

jason-martin
Shopify Partner
4 0 1

 

In response to these questions:

Apple Pay requires to store a file in this area

Interesting, I was not aware of it. Can you please forward me to the official reference where they state this? And why do they need to store a file in this area? What do they store in it? What's the purpose of it? 

I have found the need to upload a file here in Shopify to allow these types of payments to be used.

Which file did you need to upload? Apple pay is built in Shopify by default. What was the purpose of the file(s) that you uploaded or had to upload?

My Response

We are also looking at a way to create a .well-known folder on Shopify specifically for Apple Pay outside of the Shopify Payments ego system.

This works if we direct the customer off of our Shopify CName for our store, but that scares customers, so we've been trying to implement via the Shopify Proxy, which mostly works, but fails the Apple Pay authentication because the domain name is not registered with them.

One of the steps required by Apple is to temporarily place their apple-developer-merchantid-domain-association.txt in a /.well-known folder so that they can verify you own the domain. Once they verify the file is no longer needed, they don't store anything and they don't do anything with this file after verification and it could be safely deleted afterwards.

I reached out to Apple today to see if they have any alternatives to the well-known file, like a DNS text record, which personally I think would be a better solutions; however, from the screenshot below as of today, the .well-known is the only option they currently give.

jason-martin_0-1621013133699.png

 

Since this file is only needed to verify, one option is to change your DNS to point to a server you own with the .well-known file loaded there, verify the domain with Apple and then change the record back to the Shopify CName; however, this does take your store off-line while you are performing this task.

...but it would be nice, since I've seen other people require this for domain validation if Shopify included it as one of the theme folders, like Assets and so on.

mindzzle
New Member
4 0 0

Stuck with the same problem. Apple Pay asked me to upload the file to "/.well-known".... How do i solve this?

friendscottn
Shopify Partner
11 2 5

I hope Shopify will add support for adding things to the .well-known directory. I've seen this requirement all over the place.

In the mean time I do have one idea people could try.

 

A 301 redirect might work depending on whether the service accessing the file follows redirects.

1. First upload your verification file to shopify's files and copy the URL.

 

2. Setup a redirect in Shopify from wherever you need:

/.well-known/amphtml/apikey.pub (in my case)

 

to the file URL you uploaded

https://cdn.shopify.com/s/files/1/1234/1234/1234/files/apikey.pub.txt?v=1704500672

 

Save the redirect and give it a shot. Good luck!