dynamic-security.txt Code
Server-wide dynamically created security.txt and optionally signed
Brought to you by:
remkohat
Menu
▾
▴
Tree [ebafba] main v1.0.0 / History
| File | Date | Author | Commit |
|---|---|---|---|
| securitytxt | 2023-02-19 |
Remko
|
[ebafba] Update apache.conf |
| LICENSE | 2023-01-25 |
Remko
|
[e1d669] Initial commit |
| README.md | 2023-02-15 |
Remko
|
[82fc49] Update README.md |
| security.txt | 2023-01-25 |
Remko
|
[e4dd29] Example output |
Read Me
dynamic-security.txt
Server-wide dynamically created security.txt and optionally signed with OpenPGP key using PHP.
https://domain.tld/security.txt
https://domain.tld/.well-known/security.txt
For Apache and Nginx.
(Based on Ubuntu 22.04 server, but should work on older versions and other distro's too)
Features:
- All available fields according to RFC9116 can be configured
- except for Canonical which is generated automatically based on visited URL
- and Expires which is generated automatically based on time of visit + 1 year
- Only configured fields will be shown in the output
- Output will be signed if a valid OpenPGP key is supplied
- If a website has a local security.txt file present then the script will not run, so your customers can still create their own security.txt file
Requirements
- Apache (with mod_rewrite enabled) or Nginx
- PHP >= 7.4
- PHP-gnupg extension (only needed when signing with OpenPGP key)
- GnuPG >= 2.0 (only needed when signing with OpenPGP key)
How To Use
Copy
- Copy securitytxt folder to /var/www/
(for any other location you need to alter apache.conf or nginx.conf)
Edit desired fields in /var/www/securitytxt/conf/config.php
-
Leave empty or comment when the field shouldn't be displayed
-
Fields are explained here:
https://www.rfc-editor.org/rfc/rfc9116#name-field-definitions
When signing with OpenPGP key
- Create folder /var/www/.gnupg
mkdir /var/www/.gnupg
- Set folder permissions to webserver user
chown www-data:www-data /var/www/.gnupg
- The first time the script is run you not only need the public key but also the private key.
Uncomment lines 7 and 9 in /var/www/securitytxt/sign/sign.php and line 55 in /var/www/securitytxt/conf/config.php.
After the first successful run these lines can be commented again or deleted in both files.
Enable webserver configuration
Apache
- Copy /var/www/securitytxt/conf/apache.conf to /etc/apache2/conf-available/securitytxt.conf
cp /var/www/securitytxt/conf/apache.conf /etc/apache2/conf-available/securitytxt.conf
Or create a symlink in /etc/apache2/conf-available
ln -s /var/www/securitytxt/conf/apache.conf /etc/apache2/conf-available/securitytxt.conf
-
Check PHP handler and change if necessary
-
Enable securitytxt.conf in Apache
a2enconf securitytxt
- Reload Apache
systemctl reload apache2
Nginx
- Copy /var/www/securitytxt/conf/nginx.conf to /etc/nginx/snippets/securitytxt.conf
cp /var/www/securitytxt/conf/nginx.conf /etc/nginx/snippets/securitytxt.conf
Or create a symlink in /etc/nginx/snippets
ln -s /var/www/securitytxt/conf/nginx.conf /etc/nginx/snippets/securitytxt.conf
-
Check PHP handler and change if necessary
-
Reload Nginx
systemctl reload nginx
Server-wide
-
Add below to every website's vhost configuration.
-
If you use a management system like ISPConfig, Plesk etc. than add below to the vhost config that is used when adding or altering a website.
Resync all websites after.
Apache
RewriteEngine on
RewriteOptions Inherit
Nginx
include /etc/nginx/snippets/securitytxt.conf;
Example output
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
# Canonical URL
Canonical: https://domain.tld/.well-known/security.txt
# Our security address
Contact: https://domain.tld/report-vulnerability
Contact: mailto:security@domain.tld
# Our security policy
Policy: https://domain.tld/policy
# Hall of fame
Acknowledgments: https://domain.tld/hall-of-fame
# Jobs for you
Hiring: https://domain.tld/jobs
# These are the languages we speak
Preferred-Languages: en
# Our OpenPGP key
Encryption: https://domain.tld/public.key
Encryption: openpgp4fpr:BAB0EC5B0A8A52D5F4C9D0E8D5DC1526068283E3
# You shouldn't trust this file, once it has expired (like bad milk)
Expires: 2025-01-01T00:00:00Z
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgREAlEyU6YeEspGsbER6wYJfdlUFAmPRjzEACgkQbER6wYJf
dlWSYw//ZwtgU6P1NywSaWUPhidnqXw1in9iRqCo6YOn+oynDb/J9GLR3mD8zEli
LXiYk23PVKgwFDyWfDNY65/Bj81t2+9OpAT22rhswm2sL2tHx8uUB4VZM9R9OShO
SQ8fehKCU9/eTHIVjM/RH/Cn9bcgaZamGKXyPTrMgUnB+koVbRxzOrz7lfmxHgdr
0vJ2nrgtOMQg+hi/w6nNkkC/XO2yGDe41xoxaAAOlxZGk8guZWk2z8llKzNVLP7/
3kTlP9NqHFZ7aZa3Z5TUjUzcYIZtNolicpzamaJdAxNfeTlYpZjT8z0Q4KtBLqop
THDuxA9CAuRTbOYLCBKtcu2wknNX9zGApnqsBdQ1UGzuYvmh2mgGslJNHiYyDCNi
/8e02oOdrNsMCRoYZR8kpwRMuvIEg/O+yprVKmzqLJrBeH+YPv6NmNNX0spyP7Q8
IvonbIzh1skWd8U06VKo7+gLhDGBDiRfD6qQ7Cqd0YhSS4k3/Wz8/ohc/JKaGQhP
BBsCLFPQbOEHpJC+YetXZlw00Wf52vpeRMDked2Y8Pu7c7hz3iubZBNfxGYT/gFU
hbcDZrexjYPLkJTaQrZ9PKnBwazrSNmRvXNMPZ0OJotdcEqHOUgF7+nMA6/qAbJF
5YL4NLvINXwqExlx9ZUCd+nj2SNygl+VzX5zVHz4EUteXJheRvo=
=Dhpc
-----END PGP SIGNATURE-----
