austinheap / laravel-security-txt
A package for serving `security.txt` in Laravel 5.5+, based on configuration settings.
Requires
- php: >=7.0.0
- austinheap/php-security-txt: ^0.4
- laravel/framework: 5.5.*|5.6.*
Requires (Dev)
- codeclimate/php-test-reporter: dev-master
- orchestra/testbench: ^3.5
- phpunit/phpunit: ~6.0
This package is auto-updated.
Last update: 2021-04-22 03:12:30 UTC
README
A package for serving security.txt
in Laravel 5.5+, based on configuration settings.
The purpose of this project is to create a set-it-and-forget-it package that can be
installed without much effort to get a Laravel project compliant with the current
security.txt
spec. It is therefore highly opinionated
but built for configuration.
When enabled, it allows access to all clients and serves up the security.txt
.
Otherwise, it operates almost identically to Laravel's default configuration,
denying access to all clients.
security.txt
is a draft
"standard" which allows websites to define security policies. This "standard"
sets clear guidelines for security researchers on how to report security issues,
and allows bug bounty programs to define a scope. Security.txt is the equivalent
of robots.txt
, but for security issues.
There is documentation for laravel-security-txt
online,
the source of which is in the docs/
directory. The most logical place to start are the docs for the SecurityTxt
class.
Table of Contents
Installation
Step 1: Composer
Via Composer command line:
$ composer require austinheap/laravel-security-txt
Or add the package to your composer.json
:
{ "require": { "austinheap/laravel-security-txt": "0.3.*" } }
Step 2: Remove any existing security.txt
Laravel doesn't ship with a default security.txt
file. If you have added one, it needs to be removed for the configured route to work.
$ rm public/.well-known/security.txt
Step 3: Enable the package (Optional)
This package implements Laravel 5.5's auto-discovery feature. After you install it the package provider and facade are added automatically.
If you would like to declare the provider and/or alias explicitly, then add the service provider to your config/app.php
:
Add the service provider to your config/app.php
:
'providers' => [ // AustinHeap\Security\Txt\SecurityTxtServiceProvider::class, ];
And then add the alias to your config/app.php
:
'aliases' => [ // 'SecurityTxt' => AustinHeap\Security\Txt\SecurityTxtFacade::class, ];
Step 4: Configure the package
Publish the package config file:
$ php artisan vendor:publish --provider="AustinHeap\Security\Txt\SecurityTxtServiceProvider"
You may now allow clients via security.txt
by editing the config/security-txt.php
file, opening up the route to the public:
return [ 'enabled' => env('SECURITY_TXT_ENABLED', true), ];
Or simply setting the the SECURITY_TXT_ENABLED
environment variable to true, via the Laravel .env
file or hosting environment.
SECURITY_TXT_ENABLED=true
Full .env
Example
After installing the package with composer, simply add the following to your .env file:
SECURITY_TXT_ENABLED=true SECURITY_TXT_CACHE=true SECURITY_TXT_CONTACT=security@your-site.com SECURITY_TXT_ENCRYPTION=https://your-site.com/pgp.key SECURITY_TXT_DISCLOSURE=full SECURITY_TXT_ACKNOWLEDGEMENT=https://your-site.com/security-champions
Now point your browser to http://your-site.com/.well-known/security.txt
and you should see:
# Our security address
Contact: me@austinheap.com
# Our PGP key
Encryption: http://some.url/pgp.key
# Our disclosure policy
Disclosure: Full
# Our public acknowledgement
Acknowledgement: http://some.url/acks
#
# Generated by "laravel-security-txt" v0.4.0 (https://github.com/austinheap/laravel-security-txt/releases/tag/v0.4.0)
# using "php-security-txt" v0.4.0 (https://github.com/austinheap/php-security-txt/releases/tag/v0.4.0)
# in 0.041008 seconds on 2017-11-22 20:31:25.
#
# Cache is enabled with key "cache:AustinHeap\Security\Txt\SecurityTxt".
#
Unit Tests
This package has aggressive unit tests built with the wonderful orchestral/testbench package which is built on top of PHPUnit.
There are code coverage reports for laravel-security-txt
available online.
References
Credits
This is a fork of InfusionWeb/laravel-robots-route, which was a fork of ellisthedev/laravel-5-robots, which was a fork of jayhealey/Robots, which was based on earlier work.
License
The MIT License (MIT). Please see License File for more information.