This repository has been archived by the owner on Feb 6, 2024. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SEC-2787: Complete open sourcing MVP
_ README fully written - Flow of getting setup is finished
- Loading branch information
1 parent
68d59c3
commit c82e11a
Showing
7 changed files
with
85 additions
and
48 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
wrangler.toml | ||
dist | ||
node_modules | ||
worker | ||
worker | ||
src/txt/security.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,81 @@ | ||
# security.txt as a service -- Built on Cloudflare workers | ||
|
||
- In order to save cost, we will deploying this one worker on two routes. | ||
This is the worker that serves [security.txt](https://securitytxt.org) on [cloudflare.com](https://cloudflare.com) | ||
|
||
## Background | ||
|
||
From https://securitytxt.org, | ||
|
||
``` | ||
/.well-known/security.txt | ||
/gpg/my-public-key.txt | ||
When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely. | ||
``` | ||
|
||
Flow: | ||
Many reporters have difficulty finding our disclosure page (https://www.cloudflare.com/disclosure) and often submit tickets to our support staff who then inform them about our HackerOne program. The security.txt standard was submitted to the IETF to address this problem: https://tools.ietf.org/html/draft-foudil-securitytxt-08 | ||
|
||
- Get a security.txt | ||
- Get a PGP keypair | ||
- Generate one? | ||
- Put the pubkey in a place | ||
- Tell us where that place is | ||
- Sign the security.txt | ||
- Deploy | ||
We wanted to open source this code to allow anyone to easily deploy security.txt onto their Cloudflare zone. | ||
|
||
## Steps for deployment | ||
|
||
Deploying should take about 5 minutes or less. | ||
|
||
### Dependencies | ||
|
||
**Debian based systems** | ||
|
||
```sh | ||
sudo apt-get install build-essential gnupg -y | ||
``` | ||
|
||
**macOS** | ||
|
||
Please have [homebrew](https://brew.sh/) installed. | ||
|
||
```sh | ||
brew install gnupg | ||
``` | ||
|
||
⚠️ Additionally, this project requires [wrangler](https://github.com/cloudflare/wrangler) to be installed for builds/deploys. | ||
|
||
### Publishing on your zone | ||
|
||
#### 1. Setup wrangler | ||
|
||
You will need to configure wrangler.toml: | ||
|
||
```sh | ||
mv wrangler.toml.template wrangler.toml | ||
``` | ||
|
||
and fill in the following values (account_id and zone_id are found on your Cloudflare zone dashboard): | ||
|
||
- account_id | ||
- zone_id | ||
- routes | ||
|
||
#### 2. Setup GPG | ||
|
||
You will need to have a pre-existing GPG key in your keyring that's additionally uploaded to some public key server (tutorial here: [https://wiki.debian.org/Keysigning]()). | ||
|
||
Export the public key and replace the one in this repo: | ||
|
||
```sh | ||
mv src/txt/security-cloudflare-public-06A67236.txt src/txt/my-pub-key.txt && gpg --export --armor your@email.com > src/txt/my-pub-key.txt | ||
``` | ||
|
||
Then, update the path within the workers script to the new name of the public key file: | ||
|
||
```js | ||
import pubKey from './txt/my-pub-key.txt' | ||
|
||
// and later ... | ||
|
||
} else if (url.includes('/gpg/my-pub-key.txt')) { | ||
``` | ||
#### 3. Deploy | ||
With that, you're ready to go! | ||
```sh | ||
make deploy | ||
``` |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters