64° Adventures

Building an Application Security Program from scratch can be a challenging but necessary effort for any company that develops own services and applications. Imagine a situation where you've been a small start-up and quickly got your services up and running in a good and productive way. You've hired more people, but in the process you've also forgotten to create a sensible and sustainable application security program.

Traefik proxy is a versatile and very lightweight cloud-native application gateway / load balancer that integrates really well with Docker and Kubernetes, for example. While Traefik is great and brilliant, it lacks Web Application Firewall features and integrations. Traditionally, one need to put some kind of third-party WAF in front of the Traefik and route requests from there to Traefik. This increases the complexity of the system and complicates troubleshooting.

Security.txt is based on [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116) and nowadays it has been implemented by various companies. The idea is to create a file that can be distributed on a website, from a predefined address ( [https://xxx.test/.well-known/security.txt)](https://xxx.test/.well-known/security.txt%29). The content of the file tells how the organisation can be contacted if security problems and vulnerabilities are found in the organisation’s services.