austinheap/laravel-security-txt

A package for serving `security.txt` in Laravel 5.5+, based on configuration settings.

v0.2.5 2017-10-07 07:41 UTC

README

Current Release Total Downloads Build Status Code Climate Scrutinizer CI SensioLabs Test Coverage

A package for serving security.txt in Laravel 5.5+, based on configuration settings.

The purpose of this project is to create a set-it-and-forget-it package that can be installed without much effort to get a Laravel project compliant with the current security.txt spec. It is therefore highly opinionated but built for configuration.

When enabled, it allows access to all clients and serves up the security.txt. Otherwise, it operates almost identically to Laravel's default configuration, denying access to all clients.

security.txt is a draft "standard" which allows websites to define security policies. This "standard" sets clear guidelines for security researchers on how to report security issues, and allows bug bounty programs to define a scope. Security.txt is the equivalent of robots.txt, but for security issues.

There is documentation for laravel-security-txt online, the source of which is in the docs/ directory. The most logical place to start are the docs for the SecurityTxt class.

Installation

Step 1: Composer

Via Composer command line:

$ composer require austinheap/laravel-security-txt

Or add the package to your composer.json:

{
    "require": {
        "austinheap/laravel-security-txt": "^0.2.5"
    }
}

Step 2: Remove any existing security.txt

Laravel doesn't ship with a default security.txt file. If you have added one, it needs to be removed for the configured route to work.

$ rm public/.well-known/security.txt

Step 3: Enable the route

Add the service provider to your config/app.php:

'providers' => [
    //
    AustinHeap\Security\Txt\SecurityTxtServiceProvider::class,
];

Publish the package config file:

$ php artisan vendor:publish --provider="AustinHeap\Security\Txt\SecurityTxtServiceProvider"

You may now allow clients via security.txt by editing the config/security-txt.php file, opening up the route to the public:

return [
    'enabled' => env('SECURITY_TXT_ENABLED', true),
];

Or simply setting the the SECURITY_TXT_ENABLED environment variable to true, via the Laravel .env file or hosting environment.

SECURITY_TXT_ENABLED=true

Full .env Example

After installing the package with composer, simply add the following to your .env file:

SECURITY_TXT_ENABLED=true
SECURITY_TXT_CONTACT=security@your-site.com
SECURITY_TXT_ENCRYPTION=https://your-site.com/pgp.key
SECURITY_TXT_DISCLOSURE=full
SECURITY_TXT_ACKNOWLEDGEMENT=https://your-site.com/security-champions

References

Credits

This is a fork of InfusionWeb/laravel-robots-route, which was a fork of ellisthedev/laravel-5-robots, which was a fork of jayhealey/Robots, which was based on earlier work.

License

The MIT License (MIT). Please see License File for more information.