austinheap/laravel-security-txt

A package for serving `security.txt` in Laravel 5.5+, based on configuration settings.

v0.4.0 2017-11-22 20:11 UTC

README

laravel-security-txt banner from the documentation

License Current Release Total Downloads Build Status Dependency Status Scrutinizer CI StyleCI Maintainability Test Coverage SensioLabs

A package for serving security.txt in Laravel 5.5+, based on configuration settings.

The purpose of this project is to create a set-it-and-forget-it package that can be installed without much effort to get a Laravel project compliant with the current security.txt spec. It is therefore highly opinionated but built for configuration.

When enabled, it allows access to all clients and serves up the security.txt. Otherwise, it operates almost identically to Laravel's default configuration, denying access to all clients.

security.txt is a draft "standard" which allows websites to define security policies. This "standard" sets clear guidelines for security researchers on how to report security issues, and allows bug bounty programs to define a scope. Security.txt is the equivalent of robots.txt, but for security issues.

There is documentation for laravel-security-txt online, the source of which is in the docs/ directory. The most logical place to start are the docs for the SecurityTxt class.

Installation

Step 1: Composer

Via Composer command line:

$ composer require austinheap/laravel-security-txt

Or add the package to your composer.json:

{
    "require": {
        "austinheap/laravel-security-txt": "0.3.*"
    }
}

Step 2: Remove any existing security.txt

Laravel doesn't ship with a default security.txt file. If you have added one, it needs to be removed for the configured route to work.

$ rm public/.well-known/security.txt

Step 3: Enable the package (Optional)

This package implements Laravel 5.5's auto-discovery feature. After you install it the package provider and facade are added automatically.

If you would like to declare the provider and/or alias explicitly, then add the service provider to your config/app.php:

Add the service provider to your config/app.php:

'providers' => [
    //
    AustinHeap\Security\Txt\SecurityTxtServiceProvider::class,
];

And then add the alias to your config/app.php:

'aliases' => [
    //
    'SecurityTxt' => AustinHeap\Security\Txt\SecurityTxtFacade::class,
];

Step 4: Configure the package

Publish the package config file:

$ php artisan vendor:publish --provider="AustinHeap\Security\Txt\SecurityTxtServiceProvider"

You may now allow clients via security.txt by editing the config/security-txt.php file, opening up the route to the public:

return [
    'enabled' => env('SECURITY_TXT_ENABLED', true),
];

Or simply setting the the SECURITY_TXT_ENABLED environment variable to true, via the Laravel .env file or hosting environment.

SECURITY_TXT_ENABLED=true

Full .env Example

After installing the package with composer, simply add the following to your .env file:

SECURITY_TXT_ENABLED=true
SECURITY_TXT_CACHE=true
SECURITY_TXT_CONTACT=security@your-site.com
SECURITY_TXT_ENCRYPTION=https://your-site.com/pgp.key
SECURITY_TXT_DISCLOSURE=full
SECURITY_TXT_ACKNOWLEDGEMENT=https://your-site.com/security-champions

Now point your browser to http://your-site.com/.well-known/security.txt and you should see:

# Our security address
Contact: me@austinheap.com

# Our PGP key
Encryption: http://some.url/pgp.key

# Our disclosure policy
Disclosure: Full

# Our public acknowledgement
Acknowledgement: http://some.url/acks

#
# Generated by "laravel-security-txt" v0.4.0 (https://github.com/austinheap/laravel-security-txt/releases/tag/v0.4.0)
# using "php-security-txt" v0.4.0 (https://github.com/austinheap/php-security-txt/releases/tag/v0.4.0)
# in 0.041008 seconds on 2017-11-22 20:31:25.
#
# Cache is enabled with key "cache:AustinHeap\Security\Txt\SecurityTxt".
#

References

Credits

This is a fork of InfusionWeb/laravel-robots-route, which was a fork of ellisthedev/laravel-5-robots, which was a fork of jayhealey/Robots, which was based on earlier work.

License

The MIT License (MIT). Please see License File for more information.