Skip to content
/ securitytxt-worker Public
forked from cloudflare/securitytxt-worker

The worker that serves Cloudflare's security.txt!

License

MIT license
2 stars 17 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

theel0ja/securitytxt-worker

BranchesTags
 
 

Repository files navigation

security.txt as a service -- Built on Cloudflare Workers

This is the worker that serves security.txt on cloudflare.com

Background

From https://securitytxt.org,

When security risks in web services are discovered by independent security researchers who
understand the severity of the risk, they often lack the channels to disclose them properly.
As a result, security issues may be left unreported. security.txt defines a standard to help
organizations define the process for security researchers to disclose security vulnerabilities
securely.

Many reporters have difficulty finding our disclosure page (https://www.cloudflare.com/disclosure) and often submit tickets to our support staff who then inform them about our HackerOne program. The security.txt standard was submitted to the IETF to address this problem: https://tools.ietf.org/html/draft-foudil-securitytxt-08

We wanted to open source this code to allow anyone to easily deploy security.txt onto their Cloudflare zone.

Steps for deployment

Deploying should take about 5 minutes or less.

The Expires field introduced in Draft-9 is appended to the template automatically at a default value of 1 year after deployment.

Dependencies

Debian based systems

sudo apt-get install build-essential gnupg -y

macOS

Please have homebrew installed.

brew install gnupg

⚠️ Additionally, this project requires wrangler to be installed for builds/deploys. In turn, this means that you'll need Node installed.

Publishing on your zone

1. Setup wrangler

You will need to configure wrangler.toml:

mv wrangler.toml.template wrangler.toml

and fill in the following values (account_id and zone_id are found on your Cloudflare zone dashboard):

  • account_id
  • zone_id
  • routes

2. Setup GPG

You will need to have a pre-existing GPG key in your keyring that's additionally uploaded to some public key server (tutorial here: https://wiki.debian.org/Keysigning).

  1. Export the public key and replace the one in this repo:
mv src/txt/security-cloudflare-public-06A67236.txt src/txt/my-pub-key.txt
gpg --export --armor [email protected] > src/txt/my-pub-key.txt
  1. Then, update the path within the workers script to the new name of the public key file:
import pubKey from './txt/my-pub-key.txt'

// and later ...

} else if (url.includes('/gpg/my-pub-key.txt')) {
  1. Finally, update the email within the Makefile:
sign: clean
	gpg --local-user [email protected] -o src/txt/security.txt --clearsign src/txt/security.txt.template

3. Deploy

With that, you're ready to go!

make deploy

About

The worker that serves Cloudflare's security.txt!

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 76.1%
  • Makefile 23.9%