Laravel 5.5+ security.txt Package
A package for serving security.txt in Laravel 5.5+, based on configuration settings.
The purpose of this project is to create a set-it-and-forget-it package that can be
installed without much effort to get a Laravel project compliant with the current
security.txt spec. It is therefore highly opinionated
but built for configuration.
When enabled, it allows access to all clients and serves up the security.txt.
Otherwise, it operates almost identically to Laravel's default configuration,
denying access to all clients.
security.txt is a draft
"standard" which allows websites to define security policies. This "standard"
sets clear guidelines for security researchers on how to report security issues,
and allows bug bounty programs to define a scope. Security.txt is the equivalent
of robots.txt, but for security issues.
There is documentation for laravel-security-txt online,
the source of which is in the docs/
directory. The most logical place to start are the docs for the SecurityTxt class.
Table of Contents
Installation
Step 1: Composer
Via Composer command line:
$ composer require austinheap/laravel-security-txtOr add the package to your composer.json:
{
"require": {
"austinheap/laravel-security-txt": "0.3.*"
}
}
Step 2: Remove any existing security.txt
Laravel doesn't ship with a default security.txt file. If you have added one, it needs to be removed for the configured route to work.
$ rm public/.well-known/security.txtStep 3: Enable the package (Optional)
This package implements Laravel 5.5's auto-discovery feature. After you install it the package provider and facade are added automatically.
If you would like to declare the provider and/or alias explicitly, then add the service provider to your config/app.php:
Add the service provider to your config/app.php:
'providers' => [
//
AustinHeap\Security\Txt\SecurityTxtServiceProvider::class,
];And then add the alias to your config/app.php:
'aliases' => [
//
'SecurityTxt' => AustinHeap\Security\Txt\SecurityTxtFacade::class,
];Step 4: Configure the package
Publish the package config file:
$ php artisan vendor:publish --provider="AustinHeap\Security\Txt\SecurityTxtServiceProvider"You may now allow clients via security.txt by editing the config/security-txt.php file, opening up the route to the public:
return [
'enabled' => env('SECURITY_TXT_ENABLED', true),
];Or simply setting the the SECURITY_TXT_ENABLED environment variable to true, via the Laravel .env file or hosting environment.
SECURITY_TXT_ENABLED=true
Full .env Example
After installing the package with composer, simply add the following to your .env file:
SECURITY_TXT_ENABLED=true
SECURITY_TXT_CACHE=true
SECURITY_TXT_CONTACT=security@your-site.com
SECURITY_TXT_ENCRYPTION=https://your-site.com/pgp.key
SECURITY_TXT_DISCLOSURE=full
SECURITY_TXT_ACKNOWLEDGEMENT=https://your-site.com/security-championsNow point your browser to http://your-site.com/.well-known/security.txt and you should see:
# Our security address
Contact: me@austinheap.com
# Our PGP key
Encryption: http://some.url/pgp.key
# Our disclosure policy
Disclosure: Full
# Our public acknowledgement
Acknowledgement: http://some.url/acks
#
# Generated by "laravel-security-txt" v0.4.0 (https://github.com/austinheap/laravel-security-txt/releases/tag/v0.4.0)
# using "php-security-txt" v0.4.0 (https://github.com/austinheap/php-security-txt/releases/tag/v0.4.0)
# in 0.041008 seconds on 2017-11-22 20:31:25.
#
# Cache is enabled with key "cache:AustinHeap\Security\Txt\SecurityTxt".
#
Unit Tests
This package has aggressive unit tests built with the wonderful orchestral/testbench package which is built on top of PHPUnit.
There are code coverage reports for laravel-security-txt
available online.
References
Credits
This is a fork of InfusionWeb/laravel-robots-route, which was a fork of ellisthedev/laravel-5-robots, which was a fork of jayhealey/Robots, which was based on earlier work.
License
The MIT License (MIT). Please see License File for more information.
