Skip to content
This repository has been archived by the owner on Feb 6, 2024. It is now read-only.

Commit

Permalink
SEC-2787: Complete open sourcing MVP
Browse files Browse the repository at this point in the history 
_ README fully written
- Flow of getting setup is finished
  • Loading branch information
@dhaynespls
dhaynespls committed Feb 21, 2020
1 parent 68d59c3 commit c82e11a
Show file tree
Hide file tree
Showing 7 changed files with 85 additions and 48 deletions.
3 changes: 2 additions & 1 deletion .gitignore
View file
@@ -1,4 +1,5 @@
wrangler.toml
dist
node_modules
worker
worker
src/txt/security.txt
6 changes: 3 additions & 3 deletions Makefile
View file
Expand Up @@ -5,10 +5,10 @@ clean:
rm -f src/txt/security.txt
rm -rf ./worker/ ./dist/

sign:
gpg --local-user 0E7BEF12E59AAB25416AF4A3222FDE8206A67236 -o src/txt/security.txt --clearsign src/txt/security.txt.template
sign: clean
gpg --local-user 06A67236 -o src/txt/security.txt --clearsign src/txt/security.txt.template

deploy: clean sign
deploy: sign
wrangler publish

.PHONY: clean deploy sign
83 changes: 72 additions & 11 deletions README.md
View file
@@ -1,20 +1,81 @@
# security.txt as a service -- Built on Cloudflare workers

- In order to save cost, we will deploying this one worker on two routes.
This is the worker that serves [security.txt](https://securitytxt.org) on [cloudflare.com](https://cloudflare.com)

## Background

From https://securitytxt.org,

```
/.well-known/security.txt
/gpg/my-public-key.txt
When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.
```

Flow:
Many reporters have difficulty finding our disclosure page (https://www.cloudflare.com/disclosure) and often submit tickets to our support staff who then inform them about our HackerOne program. The security.txt standard was submitted to the IETF to address this problem: https://tools.ietf.org/html/draft-foudil-securitytxt-08

- Get a security.txt
- Get a PGP keypair
- Generate one?
- Put the pubkey in a place
- Tell us where that place is
- Sign the security.txt
- Deploy
We wanted to open source this code to allow anyone to easily deploy security.txt onto their Cloudflare zone.

## Steps for deployment

Deploying should take about 5 minutes or less.

### Dependencies

**Debian based systems**

```sh
sudo apt-get install build-essential gnupg -y
```

**macOS**

Please have [homebrew](https://brew.sh/) installed.

```sh
brew install gnupg
```

⚠️ Additionally, this project requires [wrangler](https://github.com/cloudflare/wrangler) to be installed for builds/deploys.

### Publishing on your zone

#### 1. Setup wrangler

You will need to configure wrangler.toml:

```sh
mv wrangler.toml.template wrangler.toml
```

and fill in the following values (account_id and zone_id are found on your Cloudflare zone dashboard):

- account_id
- zone_id
- routes

#### 2. Setup GPG

You will need to have a pre-existing GPG key in your keyring that's additionally uploaded to some public key server (tutorial here: [https://wiki.debian.org/Keysigning]()).

Export the public key and replace the one in this repo:

```sh
mv src/txt/security-cloudflare-public-06A67236.txt src/txt/my-pub-key.txt && gpg --export --armor your@email.com > src/txt/my-pub-key.txt
```

Then, update the path within the workers script to the new name of the public key file:

```js
import pubKey from './txt/my-pub-key.txt'

// and later ...

} else if (url.includes('/gpg/my-pub-key.txt')) {
```
#### 3. Deploy
With that, you're ready to go!
```sh
make deploy
```
30 changes: 0 additions & 30 deletions src/txt/security.txt
View file

This file was deleted.

7 changes: 6 additions & 1 deletion src/txt/security.txt.template
View file
@@ -1,7 +1,12 @@
Contact: https://hackerone.com/cloudflare
# If you'd like to encrypt, please do so within the the body of the message.

# If you'd like to encrypt your message, please do so within the the body of the message.
# Our email system doesn't handle PGP-MIME well.
Contact: mailto:security@cloudflare.com

# All abuse reports should be submitted to our Trust & Safety team through our dedicated page.
Contact: https://www.cloudflare.com/abuse/

Preferred-Languages: en

Encryption: https://www.cloudflare.com/pgp/security-at-cloudflare-pubkey-06A67236.txt
Expand Down
2 changes: 1 addition & 1 deletion webpack.config.js
View file
Expand Up @@ -4,7 +4,7 @@ module.exports = {
entry: './src/index.js',
output: {
path: path.resolve(__dirname, 'dist'),
filename: 'index.js',
filename: 'worker.js',
},
module: {
rules: [
Expand Down
2 changes: 1 addition & 1 deletion wrangler.toml.template
View file
Expand Up @@ -3,4 +3,4 @@ type = "webpack"
account_id = ""
zone_id = ""
workers_dev = false
route = "https://example.com/*"
routes = ["cloudflare.com/.well-known/security.txt", "cloudflare.com/gpg/your-public-key.txt"]

0 comments on commit c82e11a

Please sign in to comment.