Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/remkohat/dynamic-security.txt

PHP based server-wide dynamically created and signed security.txt for Apache and Nginx
https://github.com/remkohat/dynamic-security.txt

apache dynamic nginx php security-txt

Last synced: about 1 month ago
JSON representation

PHP based server-wide dynamically created and signed security.txt for Apache and Nginx

Host: GitHub
URL: https://github.com/remkohat/dynamic-security.txt
Owner: remkohat
License: gpl-3.0
Created: 2023-01-25T13:14:32.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2024-09-14T07:52:40.000Z (4 months ago)
Last Synced: 2024-09-14T19:02:35.494Z (4 months ago)
Topics: apache, dynamic, nginx, php, security-txt
Language: PHP
Homepage:
Size: 92.8 KB
Stars: 4
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: security.txt

Awesome Lists containing this project

README

# dynamic-security.txt

Server-wide dynamically created security.txt and optionally signed with OpenPGP key using PHP.

~~https://domain.tld/security.txt~~

https://domain.tld/.well-known/security.txt

For Apache and Nginx.

^{(Based on Ubuntu 24.04 server, but should work on older versions and other distro's too)}

***Features:***
- All available fields according to [RFC9116](https://www.rfc-editor.org/rfc/rfc9116) can be configured
- except for **Canonical** which is generated automatically based on visited URL
- and **Expires** which is generated automatically based on time of visit + 1 year
- Only configured fields will be shown in the output
- Output will be signed if a valid OpenPGP key is supplied
- If a website has a local security.txt file present then the script will not run, so your customers can still create their own security.txt file

## _Requirements_

- Apache (with mod_rewrite enabled) or Nginx
- PHP >= 7.4
- PHP-gnupg extension (only needed when signing with OpenPGP key)
- GnuPG >= 2.0 (only needed when signing with OpenPGP key)

## _How To Use_

### Copy

- Copy securitytxt folder to /var/www/

^{(for any other location you need to alter apache.conf or nginx.conf)}

### Edit desired fields in /var/www/securitytxt/conf/[config.php](securitytxt/conf/config.php)

- Leave empty or comment when the field shouldn't be displayed

- Fields are explained here:

[https://www.rfc-editor.org/rfc/rfc9116#name-field-definitions](https://www.rfc-editor.org/rfc/rfc9116#name-field-definitions)

### When signing with OpenPGP key

- Create folder /var/www/.gnupg

```mkdir /var/www/.gnupg```

- Set folder permissions to webserver user

```chown www-data:www-data /var/www/.gnupg```

- The first time the script is run you not only need the public key but also the private key.

Uncomment lines 7 and 9 in /var/www/securitytxt/sign/[sign.php](securitytxt/sign/sign.php) and line 55 in /var/www/securitytxt/conf/[config.php](securitytxt/conf/config.php).

After the first successful run these lines can be commented again or deleted in both files.

### Enable webserver configuration

#### _Apache_

- Copy /var/www/securitytxt/conf/[apache.conf](securitytxt/conf/apache.conf) to /etc/apache2/conf-available/securitytxt.conf

```cp /var/www/securitytxt/conf/apache.conf /etc/apache2/conf-available/securitytxt.conf```

Or create a symlink in /etc/apache2/conf-available

```ln -s /var/www/securitytxt/conf/apache.conf /etc/apache2/conf-available/securitytxt.conf```

- Check PHP handler and change if necessary

- Enable securitytxt.conf in Apache

```a2enconf securitytxt```

- Reload Apache

```systemctl reload apache2```

#### _Nginx_

- Copy /var/www/securitytxt/conf/[nginx.conf](securitytxt/conf/nginx.conf) to /etc/nginx/snippets/securitytxt.conf

```cp /var/www/securitytxt/conf/nginx.conf /etc/nginx/snippets/securitytxt.conf```

Or create a symlink in /etc/nginx/snippets

```ln -s /var/www/securitytxt/conf/nginx.conf /etc/nginx/snippets/securitytxt.conf```

- Check PHP handler and change if necessary

- Reload Nginx

```systemctl reload nginx```

### Server-wide

- Add below to every website's vhost configuration.

- If you use a management system like ISPConfig, Plesk etc. than add below to the vhost config that is used when adding or altering a website.

Resync all websites after.

#### _Apache_

```RewriteEngine on```

```RewriteOptions Inherit```

#### _Nginx_

```include /etc/nginx/snippets/securitytxt.conf;```

## _Example output_

```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# Canonical URL
Canonical: https://domain.tld/.well-known/security.txt

# Our security address
Contact: https://domain.tld/report-vulnerability
Contact: mailto:[email protected]

# Our security policy
Policy: https://domain.tld/policy

# Hall of fame
Acknowledgments: https://domain.tld/hall-of-fame

# Jobs for you
Hiring: https://domain.tld/jobs

# These are the languages we speak
Preferred-Languages: en

# Our OpenPGP key
Encryption: https://domain.tld/public.key
Encryption: openpgp4fpr:BAB0EC5B0A8A52D5F4C9D0E8D5DC1526068283E3

# You shouldn't trust this file, once it has expired (like bad milk)
Expires: 2025-01-01T00:00:00Z

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgREAlEyU6YeEspGsbER6wYJfdlUFAmPRjzEACgkQbER6wYJf
dlWSYw//ZwtgU6P1NywSaWUPhidnqXw1in9iRqCo6YOn+oynDb/J9GLR3mD8zEli
LXiYk23PVKgwFDyWfDNY65/Bj81t2+9OpAT22rhswm2sL2tHx8uUB4VZM9R9OShO
SQ8fehKCU9/eTHIVjM/RH/Cn9bcgaZamGKXyPTrMgUnB+koVbRxzOrz7lfmxHgdr
0vJ2nrgtOMQg+hi/w6nNkkC/XO2yGDe41xoxaAAOlxZGk8guZWk2z8llKzNVLP7/
3kTlP9NqHFZ7aZa3Z5TUjUzcYIZtNolicpzamaJdAxNfeTlYpZjT8z0Q4KtBLqop
THDuxA9CAuRTbOYLCBKtcu2wknNX9zGApnqsBdQ1UGzuYvmh2mgGslJNHiYyDCNi
/8e02oOdrNsMCRoYZR8kpwRMuvIEg/O+yprVKmzqLJrBeH+YPv6NmNNX0spyP7Q8
IvonbIzh1skWd8U06VKo7+gLhDGBDiRfD6qQ7Cqd0YhSS4k3/Wz8/ohc/JKaGQhP
BBsCLFPQbOEHpJC+YetXZlw00Wf52vpeRMDked2Y8Pu7c7hz3iubZBNfxGYT/gFU
hbcDZrexjYPLkJTaQrZ9PKnBwazrSNmRvXNMPZ0OJotdcEqHOUgF7+nMA6/qAbJF
5YL4NLvINXwqExlx9ZUCd+nj2SNygl+VzX5zVHz4EUteXJheRvo=
=Dhpc
-----END PGP SIGNATURE-----
```