Validate the Canonical field #40
Description
If this field appears within a "security.txt" file and the URI used to retrieve that file is not listed within any canonical fields, then the contents of the file SHOULD NOT be trusted.
https://www.rfc-editor.org/rfc/rfc9116#section-2.5.2-3
Right now the result of the check of michalspacek.cz (no www) is fine:
$ bin/checksecuritytxt.php michalspacek.cz --no-ipv6
[Info] Parsing security.txt for michalspacek.cz
[Info] Loading security.txt from https://michalspacek.cz/.well-known/security.txt
[Info] Loading security.txt from https://michalspacek.cz/security.txt
[Info] Redirected from https://michalspacek.cz/security.txt to https://michalspacek.cz/.well-known/security.txt
[Info] Selecting security.txt located at https://michalspacek.cz/.well-known/security.txt for further tests
[Info] The file will expire in 271 days (2026-09-01T00:00:00+00:00)
[Info] Signature valid, key 4BD4C403AF2F9FCCB151FE61B64BDD6E464AB529, signed on 2025-09-23T15:02:54+00:00But the Canonical field URL is with www:
spaze@over9k:~/libs/security-txt@main$ curl https://michalspacek.cz/.well-known/security.txt | grep Canonical
Canonical: https://www.michalspacek.cz/.well-known/security.txt