I've got a documentation website populated from the Github master branch for my documentation project.
I'd like https://mydomain/.well-known/security.txt to serve the file under tree/master/.well-known/security.txt per securitytxt.org which says
security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.
For websites, the security.txt file should be placed under the
/.well-known/path (/.well-known/security.txt) [RFC5785]. It can also be placed in the root directory (/security.txt) of a website, especially if the/.well-known/directory cannot be used for technical reasons, or simply as a fallback.
The problem I'm seeing is that .well-known seems to be ignored by Github pages presumably because it's a hidden file per POSIX file conventions. Is this configurable?
I could use the fallback quoted above, but I'd rather follow the RFC5785 if possible.
For reference, the project I'm currently concerned about is https://github.com/temper-lang/docs and I expect the security.txt to show up at https://temperlang.dev/.well-known/security.txt but get a 404.
Below is a screenshot of my Github pages config:
It may not be a solution for you if your site is using Jekyll, but in my case I was able to enable serving of files beginning with a dot by creating a
.nojekyllfile in the root of the Github pages repository.I found this by doing a few more searches on Stackoverflow. Credit to this answer.