Server-wide dynamically created security.txt and optionally signed with OpenPGP key using PHP.
https://domain.tld/security.txt
https://domain.tld/.well-known/security.txt
For Apache and Nginx.
(Based on Ubuntu 24.04 server, but should work on older versions and other distro's too)
Features:
- All available fields according to RFC9116 can be configured
- except for Canonical which is generated automatically based on visited URL
- and Expires which is generated automatically based on time of visit + 1 year
- Only configured fields will be shown in the output
- Output will be signed if a valid OpenPGP key is supplied
- If a website has a local security.txt file present then the script will not run, so your customers can still create their own security.txt file
- Apache (with mod_rewrite enabled) or Nginx
- PHP >= 7.4
- PHP-gnupg extension (only needed when signing with OpenPGP key)
- GnuPG >= 2.0 (only needed when signing with OpenPGP key)
-
Copy securitytxt folder to /var/www/
(for any other location you need to alter apache.conf or nginx.conf)
Edit desired fields in /var/www/securitytxt/conf/config.php
-
Leave empty or comment when the field shouldn't be displayed
-
Fields are explained here:
https://www.rfc-editor.org/rfc/rfc9116#name-field-definitions
-
Create folder /var/www/.gnupg
mkdir /var/www/.gnupg -
Set folder permissions to webserver user
chown www-data:www-data /var/www/.gnupg -
The first time the script is run you not only need the public key but also the private key.
Uncomment lines 7 and 9 in /var/www/securitytxt/sign/sign.php and line 55 in /var/www/securitytxt/conf/config.php.
After the first successful run these lines can be commented again or deleted in both files.
-
Copy /var/www/securitytxt/conf/apache.conf to /etc/apache2/conf-available/securitytxt.conf
cp /var/www/securitytxt/conf/apache.conf /etc/apache2/conf-available/securitytxt.confOr create a symlink in /etc/apache2/conf-available
ln -s /var/www/securitytxt/conf/apache.conf /etc/apache2/conf-available/securitytxt.conf -
Check PHP handler and change if necessary
-
Enable securitytxt.conf in Apache
a2enconf securitytxt -
Reload Apache
systemctl reload apache2
-
Copy /var/www/securitytxt/conf/nginx.conf to /etc/nginx/snippets/securitytxt.conf
cp /var/www/securitytxt/conf/nginx.conf /etc/nginx/snippets/securitytxt.confOr create a symlink in /etc/nginx/snippets
ln -s /var/www/securitytxt/conf/nginx.conf /etc/nginx/snippets/securitytxt.conf -
Check PHP handler and change if necessary
-
Reload Nginx
systemctl reload nginx
-
Add below to every website's vhost configuration.
-
If you use a management system like ISPConfig, Plesk etc. than add below to the vhost config that is used when adding or altering a website.
Resync all websites after.
RewriteEngine on
RewriteOptions Inherit
include /etc/nginx/snippets/securitytxt.conf;
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
# Canonical URL
Canonical: https://domain.tld/.well-known/security.txt
# Our security address
Contact: https://domain.tld/report-vulnerability
Contact: mailto:security@domain.tld
# Our security policy
Policy: https://domain.tld/policy
# Hall of fame
Acknowledgments: https://domain.tld/hall-of-fame
# Jobs for you
Hiring: https://domain.tld/jobs
# These are the languages we speak
Preferred-Languages: en
# Our OpenPGP key
Encryption: https://domain.tld/public.key
Encryption: openpgp4fpr:BAB0EC5B0A8A52D5F4C9D0E8D5DC1526068283E3
# You shouldn't trust this file, once it has expired (like bad milk)
Expires: 2025-01-01T00:00:00Z
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgREAlEyU6YeEspGsbER6wYJfdlUFAmPRjzEACgkQbER6wYJf
dlWSYw//ZwtgU6P1NywSaWUPhidnqXw1in9iRqCo6YOn+oynDb/J9GLR3mD8zEli
LXiYk23PVKgwFDyWfDNY65/Bj81t2+9OpAT22rhswm2sL2tHx8uUB4VZM9R9OShO
SQ8fehKCU9/eTHIVjM/RH/Cn9bcgaZamGKXyPTrMgUnB+koVbRxzOrz7lfmxHgdr
0vJ2nrgtOMQg+hi/w6nNkkC/XO2yGDe41xoxaAAOlxZGk8guZWk2z8llKzNVLP7/
3kTlP9NqHFZ7aZa3Z5TUjUzcYIZtNolicpzamaJdAxNfeTlYpZjT8z0Q4KtBLqop
THDuxA9CAuRTbOYLCBKtcu2wknNX9zGApnqsBdQ1UGzuYvmh2mgGslJNHiYyDCNi
/8e02oOdrNsMCRoYZR8kpwRMuvIEg/O+yprVKmzqLJrBeH+YPv6NmNNX0spyP7Q8
IvonbIzh1skWd8U06VKo7+gLhDGBDiRfD6qQ7Cqd0YhSS4k3/Wz8/ohc/JKaGQhP
BBsCLFPQbOEHpJC+YetXZlw00Wf52vpeRMDked2Y8Pu7c7hz3iubZBNfxGYT/gFU
hbcDZrexjYPLkJTaQrZ9PKnBwazrSNmRvXNMPZ0OJotdcEqHOUgF7+nMA6/qAbJF
5YL4NLvINXwqExlx9ZUCd+nj2SNygl+VzX5zVHz4EUteXJheRvo=
=Dhpc
-----END PGP SIGNATURE-----