More .well-known checks

[woodruffw]

.well-known (RFC) is becoming an increasingly popular destination for stashing site-wide metadata. Some of that metadata is relevant to site security or may unintentionally leak information, so we should scan it.

Some starting points:

• Presence of/interesting things in an MTA-STS policy (RFC)
  • This might be hampered by the fact that the RFC requires this policy to be hosted on a separate subdomain, e.g. mta-sts.example.com/.well-known/mta-sts.txt.
• Asset links: https://developers.google.com/digital-asset-links/v1/getting-started
• A number of different things on this list: https://en.wikipedia.org/wiki/List_of_/.well-known/_services_offered_by_webservers

[vanjo9800]

Hi, I would like to work on this issue as part of Hacktoberfest 2022.

[woodruffw]

Go for it! Sent from mobile. Please excuse my brevity.

…

On Oct 1, 2022, at 5:30 AM, Ivan Ivanov ***@***.***> wrote:  Hi, I would like to work on this issue as part of Hacktoberfest 2022. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

[gracefkang]

@vanjo9800 Are you still working on this? If not I'd also like to take a stab at it.

[woodruffw]

They haven’t responded in over a year, so you should feel free to take it over. Thanks!Sent from mobile. Please excuse my brevity.On Jan 23, 2023, at 7:12 PM, gracefkang ***@***.***> wrote: @vanjo9800 Are you still working on this? If not I'd also like to take a stab at it. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[ktor-vi]

Interested ! First issue 👍