Laravel 5.5+ security.txt Package
, (*1)
, (*2)
A package for serving security.txt in Laravel 5.5+, based on configuration settings.
The purpose of this project is to create a set-it-and-forget-it package that can be
installed without much effort to get a Laravel project compliant with the current
security.txt spec. It is therefore highly opinionated
but built for configuration., (*3)
When enabled, it allows access to all clients and serves up the security.txt.
Otherwise, it operates almost identically to Laravel's default configuration,
denying access to all clients., (*4)
security.txt is a draft
"standard" which allows websites to define security policies. This "standard"
sets clear guidelines for security researchers on how to report security issues,
and allows bug bounty programs to define a scope. Security.txt is the equivalent
of robots.txt, but for security issues., (*5)
There is documentation for laravel-security-txt online,
the source of which is in the docs/
directory. The most logical place to start are the docs for the SecurityTxt class., (*6)
Table of Contents
Installation
Step 1: Composer
Via Composer command line:, (*7)
$ composer require austinheap/laravel-security-txt
Or add the package to your composer.json:, (*8)
{
"require": {
"austinheap/laravel-security-txt": "0.3.*"
}
}
Step 2: Remove any existing security.txt
Laravel doesn't ship with a default security.txt file. If you have added one, it needs to be removed for the configured route to work., (*9)
$ rm public/.well-known/security.txt
Step 3: Enable the package (Optional)
This package implements Laravel 5.5's auto-discovery feature. After you install it the package provider and facade are added automatically., (*10)
If you would like to declare the provider and/or alias explicitly, then add the service provider to your config/app.php:, (*11)
Add the service provider to your config/app.php:, (*12)
'providers' => [
//
AustinHeap\Security\Txt\SecurityTxtServiceProvider::class,
];
And then add the alias to your config/app.php:, (*13)
'aliases' => [
//
'SecurityTxt' => AustinHeap\Security\Txt\SecurityTxtFacade::class,
];
Publish the package config file:, (*14)
$ php artisan vendor:publish --provider="AustinHeap\Security\Txt\SecurityTxtServiceProvider"
You may now allow clients via security.txt by editing the config/security-txt.php file, opening up the route to the public:, (*15)
return [
'enabled' => env('SECURITY_TXT_ENABLED', true),
];
Or simply setting the the SECURITY_TXT_ENABLED environment variable to true, via the Laravel .env file or hosting environment., (*16)
SECURITY_TXT_ENABLED=true
Full .env Example
After installing the package with composer, simply add the following to your .env file:, (*17)
SECURITY_TXT_ENABLED=true
SECURITY_TXT_CACHE=true
SECURITY_TXT_CONTACT=security@your-site.com
SECURITY_TXT_ENCRYPTION=https://your-site.com/pgp.key
SECURITY_TXT_DISCLOSURE=full
SECURITY_TXT_ACKNOWLEDGEMENT=https://your-site.com/security-champions
Now point your browser to http://your-site.com/.well-known/security.txt and you should see:, (*18)
# Our security address
Contact: me@austinheap.com
# Our PGP key
Encryption: http://some.url/pgp.key
# Our disclosure policy
Disclosure: Full
# Our public acknowledgement
Acknowledgement: http://some.url/acks
#
# Generated by "laravel-security-txt" v0.4.0 (https://github.com/austinheap/laravel-security-txt/releases/tag/v0.4.0)
# using "php-security-txt" v0.4.0 (https://github.com/austinheap/php-security-txt/releases/tag/v0.4.0)
# in 0.041008 seconds on 2017-11-22 20:31:25.
#
# Cache is enabled with key "cache:AustinHeap\Security\Txt\SecurityTxt".
#
Unit Tests
This package has aggressive unit tests built with the wonderful orchestral/testbench
package which is built on top of PHPUnit., (*19)
There are code coverage reports for laravel-security-txt
available online., (*20)
References
Credits
This is a fork of InfusionWeb/laravel-robots-route,
which was a fork of ellisthedev/laravel-5-robots,
which was a fork of jayhealey/Robots,
which was based on earlier work., (*21)
License
The MIT License (MIT). Please see License File for more information., (*22)
Wallogit.com
