File | Date | Author | Commit |
---|---|---|---|
securitytxt | 2023-02-19 |
![]() |
[ebafba] Update apache.conf |
LICENSE | 2023-01-25 |
![]() |
[e1d669] Initial commit |
README.md | 2023-02-15 |
![]() |
[82fc49] Update README.md |
security.txt | 2023-01-25 |
![]() |
[e4dd29] Example output |
Server-wide dynamically created security.txt and optionally signed with OpenPGP key using PHP.
https://domain.tld/security.txt
https://domain.tld/.well-known/security.txt
For Apache and Nginx.
(Based on Ubuntu 22.04 server, but should work on older versions and other distro's too)
Features:
- All available fields according to RFC9116 can be configured
- except for Canonical which is generated automatically based on visited URL
- and Expires which is generated automatically based on time of visit + 1 year
- Only configured fields will be shown in the output
- Output will be signed if a valid OpenPGP key is supplied
- If a website has a local security.txt file present then the script will not run, so your customers can still create their own security.txt file
(for any other location you need to alter apache.conf or nginx.conf)
Leave empty or comment when the field shouldn't be displayed
Fields are explained here:
https://www.rfc-editor.org/rfc/rfc9116#name-field-definitions
mkdir /var/www/.gnupg
chown www-data:www-data /var/www/.gnupg
Uncomment lines 7 and 9 in /var/www/securitytxt/sign/sign.php and line 55 in /var/www/securitytxt/conf/config.php.
After the first successful run these lines can be commented again or deleted in both files.
cp /var/www/securitytxt/conf/apache.conf /etc/apache2/conf-available/securitytxt.conf
Or create a symlink in /etc/apache2/conf-available
ln -s /var/www/securitytxt/conf/apache.conf /etc/apache2/conf-available/securitytxt.conf
Check PHP handler and change if necessary
Enable securitytxt.conf in Apache
a2enconf securitytxt
systemctl reload apache2
cp /var/www/securitytxt/conf/nginx.conf /etc/nginx/snippets/securitytxt.conf
Or create a symlink in /etc/nginx/snippets
ln -s /var/www/securitytxt/conf/nginx.conf /etc/nginx/snippets/securitytxt.conf
Check PHP handler and change if necessary
Reload Nginx
systemctl reload nginx
Add below to every website's vhost configuration.
If you use a management system like ISPConfig, Plesk etc. than add below to the vhost config that is used when adding or altering a website.
Resync all websites after.
RewriteEngine on
RewriteOptions Inherit
include /etc/nginx/snippets/securitytxt.conf;
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
# Canonical URL
Canonical: https://domain.tld/.well-known/security.txt
# Our security address
Contact: https://domain.tld/report-vulnerability
Contact: mailto:security@domain.tld
# Our security policy
Policy: https://domain.tld/policy
# Hall of fame
Acknowledgments: https://domain.tld/hall-of-fame
# Jobs for you
Hiring: https://domain.tld/jobs
# These are the languages we speak
Preferred-Languages: en
# Our OpenPGP key
Encryption: https://domain.tld/public.key
Encryption: openpgp4fpr:BAB0EC5B0A8A52D5F4C9D0E8D5DC1526068283E3
# You shouldn't trust this file, once it has expired (like bad milk)
Expires: 2025-01-01T00:00:00Z
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgREAlEyU6YeEspGsbER6wYJfdlUFAmPRjzEACgkQbER6wYJf
dlWSYw//ZwtgU6P1NywSaWUPhidnqXw1in9iRqCo6YOn+oynDb/J9GLR3mD8zEli
LXiYk23PVKgwFDyWfDNY65/Bj81t2+9OpAT22rhswm2sL2tHx8uUB4VZM9R9OShO
SQ8fehKCU9/eTHIVjM/RH/Cn9bcgaZamGKXyPTrMgUnB+koVbRxzOrz7lfmxHgdr
0vJ2nrgtOMQg+hi/w6nNkkC/XO2yGDe41xoxaAAOlxZGk8guZWk2z8llKzNVLP7/
3kTlP9NqHFZ7aZa3Z5TUjUzcYIZtNolicpzamaJdAxNfeTlYpZjT8z0Q4KtBLqop
THDuxA9CAuRTbOYLCBKtcu2wknNX9zGApnqsBdQ1UGzuYvmh2mgGslJNHiYyDCNi
/8e02oOdrNsMCRoYZR8kpwRMuvIEg/O+yprVKmzqLJrBeH+YPv6NmNNX0spyP7Q8
IvonbIzh1skWd8U06VKo7+gLhDGBDiRfD6qQ7Cqd0YhSS4k3/Wz8/ohc/JKaGQhP
BBsCLFPQbOEHpJC+YetXZlw00Wf52vpeRMDked2Y8Pu7c7hz3iubZBNfxGYT/gFU
hbcDZrexjYPLkJTaQrZ9PKnBwazrSNmRvXNMPZ0OJotdcEqHOUgF7+nMA6/qAbJF
5YL4NLvINXwqExlx9ZUCd+nj2SNygl+VzX5zVHz4EUteXJheRvo=
=Dhpc
-----END PGP SIGNATURE-----