Discuss and resolve questions on Liquid, JavaScript, themes, sales channels, and site speed enhancements.
Hi all,
Is there any way I can add my own /.well-known/security.txt into my Shopify store? It is an industry standard and I need a way to implement this.
Examples:
The resulting URL would be something like: https://my-store.myshopify.com/.well-known/security.txt
Or with a domain: https://my-store.com/.well-known/security.txt
If anyone has any advice on this, that would be most appreciated.
Thank you!
Hi,
We've come across the need to do this. Did you find a solution?
Many thanks,
Scott
Unfortunately, I have not found a solution. I figured it is something that only the Shopify developers can implement this for all stores.
@Winbox
Firstly, please allow me to kindly correct your statement.
It's not an industry standard, at least not yet.
It's still an internet-draft. In other words, it's currently being taken under consideration whether it should be something to be widely implemented (and subsequently perhaps considered as a good practice/standard in web development) or not.
It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
Reference for the security.txt informational document itemizing its objective plus the above cited paragraph can be found here.
Secondly, security.txt is not useful for an e-commerce platform like Shopify.
In general it is (would be) useful only for websites built from the ground up hosting their own servers and potentially doing bug bounty programs, which is essentially when a website offers a financial compensation for hackers who can find and report security breaches on their websites. As you have shared yourself, you can see that most big companies do make use of it since the vast majority run bug bounties.
Anyhow, when a security flaw is found within the Shopify ecosystem they wouldn't want to report it to one of its clients, and yes to Shopify itself.
This reinforces the lack of necessity of adding a security.txt file to their clients' stores.
Therefore, in conclusion, I don't think you'd need a security.txt in your Shopify website. Plus, answering to your original question, I don't think it's possible either.
If I'm lacking any information or have shared something that is not congruent please do let me know and correct me.
Kind regards,
Diego
I think your missing the point. This site location IS a very well recognised area and is used for all sorts of information and meta data. It is common for this area to be used on a website, as you say, it is more common for this to be used for sites built for the ground up.
However, some third party companies use this area for meta data and other validation checks. For example, Apple Pay requires to store a file in this area. I have found the need to upload a file here in Shopify to allow these types of payments to be used. So your argument is slightly flawed or outdated. I agree in Shopify it wouldn't be considered an important part, as apps wouldn't need this as they work in a different way.
"These “well-known locations”, “/.well-known/”. The directory location /.well-known isn’t a coincidence, it’s the result of a carefully considered RFC. This directory can be used for all kinds of information discovery."
Shopify is very restricted and lacks so many things a developer that works outside of Shopify would need, such as directory management, a typical developer would want to develop a website and manage secure integrations in the back end aswell.
Apple Pay requires to store a file in this area
Interesting, I was not aware of it. Can you please forward me to the official reference where they state this? And why do they need to store a file in this area? What do they store in it? What's the purpose of it?
I have found the need to upload a file here in Shopify to allow these types of payments to be used.
Which file did you need to upload? Apple pay is built in Shopify by default. What was the purpose of the file(s) that you uploaded or had to upload?
So your argument is slightly flawed or outdated.
Why exactly? My argument is founded upon their latest official publicly available document, which expires on 24 February 2021. Where can I find a most updated and reliable source?
"These “well-known locations”, “/.well-known/”. The directory location /.well-known isn’t a coincidence, it’s the result of a carefully considered RFC. This directory can be used for all kinds of information discovery."
You are quoting a blog post, not an official source.
I can't take that as an ultimate truth.
In addition, this source was last updated in March 2016, and the github Mattias Geniar mentions in his blog post is deprecated, which means it is outdated and shall not be taken into consideration.
a typical developer would want to develop a website and manage secure integrations in the back end aswell.
No, I disagree.
Being a billion dollar business Shopify most definitely has got security covered, maintained and constantly updated.
Opening the possibility to customize the back-end would add an unnecessary layer of complexity & high potential security breaches, since developers are humans as well and are prone to mistake. That is beyond the scope of what Shopify offers: an easy to use, "batteries included" online shop to sell your products. Simple as that.
More complex alternatives should be built from scratch or on other platforms that provide greater flexibility.
Kind regards,
Diego
In response to these questions:
Apple Pay requires to store a file in this area
Interesting, I was not aware of it. Can you please forward me to the official reference where they state this? And why do they need to store a file in this area? What do they store in it? What's the purpose of it?
I have found the need to upload a file here in Shopify to allow these types of payments to be used.
Which file did you need to upload? Apple pay is built in Shopify by default. What was the purpose of the file(s) that you uploaded or had to upload?
My Response
We are also looking at a way to create a .well-known folder on Shopify specifically for Apple Pay outside of the Shopify Payments ego system.
This works if we direct the customer off of our Shopify CName for our store, but that scares customers, so we've been trying to implement via the Shopify Proxy, which mostly works, but fails the Apple Pay authentication because the domain name is not registered with them.
One of the steps required by Apple is to temporarily place their apple-developer-merchantid-domain-association.txt in a /.well-known folder so that they can verify you own the domain. Once they verify the file is no longer needed, they don't store anything and they don't do anything with this file after verification and it could be safely deleted afterwards.
I reached out to Apple today to see if they have any alternatives to the well-known file, like a DNS text record, which personally I think would be a better solutions; however, from the screenshot below as of today, the .well-known is the only option they currently give.
Since this file is only needed to verify, one option is to change your DNS to point to a server you own with the .well-known file loaded there, verify the domain with Apple and then change the record back to the Shopify CName; however, this does take your store off-line while you are performing this task.
...but it would be nice, since I've seen other people require this for domain validation if Shopify included it as one of the theme folders, like Assets and so on.
Stuck with the same problem. Apple Pay asked me to upload the file to "/.well-known".... How do i solve this?
Did you ever solve this?
.well-known folder verification seems also to be required for using mobile app deeplinks or auto-complete fields with Google password manager or another password managers in mobile apps. The auto-complete data are linked to domain names, after all.
I hope Shopify will add support for adding things to the .well-known directory. I've seen this requirement all over the place.
In the mean time I do have one idea people could try.
A 301 redirect might work depending on whether the service accessing the file follows redirects.
1. First upload your verification file to shopify's files and copy the URL.
2. Setup a redirect in Shopify from wherever you need:
/.well-known/amphtml/apikey.pub (in my case)
to the file URL you uploaded
https://cdn.shopify.com/s/files/1/1234/1234/1234/files/apikey.pub.txt?v=1704500672
Save the redirect and give it a shot. Good luck!
This doesn't seem to work, regardless of where you send the redirect, it is always a 404.
I just checked my old implementation of this. It's still working well. Maybe the path you are attempting to redirect from is different for some reason?
Hey Community! As we jump into 2025, we want to give a big shout-out to all of you wh...
By JasonH Jan 7, 2025Hey Community! As the holiday season unfolds, we want to extend heartfelt thanks to a...
By JasonH Dec 6, 2024Dropshipping, a high-growth, $226 billion-dollar industry, remains a highly dynamic bus...
By JasonH Nov 27, 2024