This is the worker that serves security.txt on cloudflare.com
From https://securitytxt.org,
When security risks in web services are discovered by independent security researchers who
understand the severity of the risk, they often lack the channels to disclose them properly.
As a result, security issues may be left unreported. security.txt defines a standard to help
organizations define the process for security researchers to disclose security vulnerabilities
securely.
Many reporters have difficulty finding our disclosure page (https://www.cloudflare.com/disclosure) and often submit tickets to our support staff who then inform them about our HackerOne program. The security.txt standard was submitted to the IETF to address this problem: https://tools.ietf.org/html/draft-foudil-securitytxt-08
We wanted to open source this code to allow anyone to easily deploy security.txt onto their Cloudflare zone.
Deploying should take about 5 minutes or less.
The Expires
field introduced in Draft-9 is appended to the template
automatically at a default value of 1 year after deployment.
Debian based systems
sudo apt-get install build-essential gnupg -y
macOS
Please have homebrew installed.
brew install gnupg
You will need to configure wrangler.toml:
mv wrangler.toml.template wrangler.toml
and fill in the following values (account_id and zone_id are found on your Cloudflare zone dashboard):
- account_id
- zone_id
- routes
You will need to obtain a scoped API token to publish the worker.
You can do this at (https://dash.cloudflare.com/profile/api-tokens),
and choose the "Edit Cloudflare Workers" template.
We will later call the obtained token: ${TOKEN}
.
You will need to have a pre-existing GPG key in your keyring that's additionally uploaded to some public key server (tutorial here: https://wiki.debian.org/Keysigning).
- Export the public key and replace the one in this repo:
mv src/txt/security-cloudflare-public-06A67236.txt src/txt/my-pub-key.txt
gpg --export --armor [email protected] > src/txt/my-pub-key.txt
- Then, update the path within the workers script to the new name of the public key file:
import pubKey from './txt/my-pub-key.txt'
// and later ...
} else if (url.includes('/gpg/my-pub-key.txt')) {
- Finally, update the email within the Makefile:
sign: clean
gpg --local-user [email protected] -o src/txt/security.txt --clearsign src/txt/security.txt.template
To deploy with the token, you can choose one of the following options:
a. Execute: wrangler config
.
Enter token: ${TOKEN}
.
Run: make deploy
b. Run: CF_API_TOKEN=${token} make deploy