security.txt as a service -- Built on Cloudflare Workers

This is the worker that serves security.txt on cloudflare.com

Background

From https://securitytxt.org,

When security risks in web services are discovered by independent security researchers who
understand the severity of the risk, they often lack the channels to disclose them properly.
As a result, security issues may be left unreported. security.txt defines a standard to help
organizations define the process for security researchers to disclose security vulnerabilities
securely.

Many reporters have difficulty finding our disclosure page (https://www.cloudflare.com/disclosure) and often submit tickets to our support staff who then inform them about our HackerOne program. The security.txt standard was submitted to the IETF to address this problem: https://tools.ietf.org/html/draft-foudil-securitytxt-08

We wanted to open source this code to allow anyone to easily deploy security.txt onto their Cloudflare zone.

Steps for deployment

Deploying should take about 5 minutes or less.

The Expires field introduced in Draft-9 is appended to the template automatically at a default value of 1 year after deployment.

Dependencies

Debian based systems

sudo apt-get install build-essential gnupg -y

macOS

Please have homebrew installed.

brew install gnupg

⚠️ Additionally, this project requires wrangler to be installed for builds/deploys. In turn, this means that you'll need Node installed.

Publishing on your zone

1. Setup wrangler

You will need to configure wrangler.toml:

mv wrangler.toml.template wrangler.toml

and fill in the following values (account_id and zone_id are found on your Cloudflare zone dashboard):

• account_id
• zone_id
• routes

You will need to obtain a scoped API token to publish the worker.
You can do this at (https://dash.cloudflare.com/profile/api-tokens), and choose the "Edit Cloudflare Workers" template. We will later call the obtained token: ${TOKEN}.

2. Setup GPG

You will need to have a pre-existing GPG key in your keyring that's additionally uploaded to some public key server (tutorial here: https://wiki.debian.org/Keysigning).

1. Export the public key and replace the one in this repo:

mv src/txt/security-cloudflare-public-06A67236.txt src/txt/my-pub-key.txt
gpg --export --armor your@email.com > src/txt/my-pub-key.txt

2. Then, update the path within the workers script to the new name of the public key file:

import pubKey from './txt/my-pub-key.txt'

// and later ...

} else if (url.includes('/gpg/my-pub-key.txt')) {

3. Finally, update the email within the Makefile:

sign: clean
	gpg --local-user your@email.com -o src/txt/security.txt --clearsign src/txt/security.txt.template

3. Deploy

To deploy with the token, you can choose one of the following options:

a. Execute: wrangler config. Enter token: ${TOKEN}. Run: make deploy

b. Run: CF_API_TOKEN=${token} make deploy