iRule to serve security.txt file - RFC 9116

One week ago, on 27. April 2022, the IETF has published RFC 9116 describing the security.txt file. The purpose of this file is to aid in responsible disclosure, a process that allows security resea...
Updated Jan 14, 2023
Version 2.0
application delivery
security
ElDuderino's avatar
ElDuderino
Icon for Nimbostratus rankNimbostratus
May 07, 2022

No idea about the details of iRulesLX. But it seems way to much overhead to call something external just to serve some text.

Signing the file with the "clearsign" option as recommended is nothing more then a plain text readable file in this case, plus the signature and PGP headers.

All you do is the following. The --default-key option is only needed, in case you have multiple keys.

gpg --clearsign --default-key security@example.com security.txt

 This will generate a security.txt.asc file. Then you paste that content in your iRule.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# Our security address
Contact: mailto:security@example.com

# Our OpenPGP key
Encryption: https://example.com/pgp-key.txt

# Our security policy
Policy: https://example.com/security-policy.html

# Our security acknowledgments page
Acknowledgments: https://example.com/hall-of-fame.html

Expires: 2021-12-31T18:37:07z"

-----BEGIN PGP SIGNATURE-----

iIcEARYKAC8WIQSulmNYqOEvaLEXuXBhVhukMyqDOwUCYnZbLBEcdGhlZHVkZUBt
YXJjby5tcwAKCRBhVhukMyqDO7BKAP9fRJXm7xBW8DgvBurYlQtkl0ROc23gONpf
eeZupn3JxAD/YXNnZaC33dcHh7c7W22QK673XFtY7DmKpT7wUXCtlQs=
=3hMe
-----END PGP SIGNATURE-----

I heard F5 is also bit in the nginx business. 🙂
The open source enthusiasts will love to serve simple static content directly from the configuration. Here is a quick example.

Create a simple nginx config file like security.txt.conf with the following content.

server {
    server_name localhost;
    listen 80;

    location / {
        types {}
        default_type text/html;

        return 200 '
        <html><body><br>
        -----BEGIN PGP SIGNED MESSAGE-----<br>
        Hash: SHA512<br>
        <br>
        # Our security address<br>
        Contact: mailto:security@example.com<br>
        <br>
        # Our OpenPGP key<br>
        Encryption: https://example.com/pgp-key.txt<br>
        <br>
        # Our security policy<br>
        Policy: https://example.com/security-policy.html<br>
        <br>
        # Our security acknowledgments page<br>
        Acknowledgments: https://example.com/hall-of-fame.html<br>
        <br>
        Expires: 2021-12-31T18:37:07z"<br>
        <br>
        -----BEGIN PGP SIGNATURE-----<br>
        <br>
        iIcEARYKAC8WIQSulmNYqOEvaLEXuXBhVhukMyqDOwUCYnZbLBEcdGhlZHVkZUBt<br>
        YXJjby5tcwAKCRBhVhukMyqDO7BKAP9fRJXm7xBW8DgvBurYlQtkl0ROc23gONpf<br>
        eeZupn3JxAD/YXNnZaC33dcHh7c7W22QK673XFtY7DmKpT7wUXCtlQs=<br>
        =3hMe<br>
        -----END PGP SIGNATURE-----<br>
        </body></html>
        ';
    }
}

Now lets fire up a container to see what we get.

docker run -it --rm --name nginxsecuritytxt -p 8080:80 -v $PWD/security.txt.conf:/etc/nginx/conf.d/default.conf nginx

Lets browse the page in the terminal.

lynx -collapse_br_tags=0 -trim_blank_lines=0 -nomargins=1 -dump http://localhost:8080/

You should see something like this.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# Our security address
Contact: mailto:security@example.com

# Our OpenPGP key
Encryption: https://example.com/pgp-key.txt

# Our security policy
Policy: https://example.com/security-policy.html

# Our security acknowledgments page
Acknowledgments: https://example.com/hall-of-fame.html

Expires: 2021-12-31T18:37:07z"

-----BEGIN PGP SIGNATURE-----

iIcEARYKAC8WIQSulmNYqOEvaLEXuXBhVhukMyqDOwUCYnZbLBEcdGhlZHVkZUBt
YXJjby5tcwAKCRBhVhukMyqDO7BKAP9fRJXm7xBW8DgvBurYlQtkl0ROc23gONpf
eeZupn3JxAD/YXNnZaC33dcHh7c7W22QK673XFtY7DmKpT7wUXCtlQs=
=3hMe
-----END PGP SIGNATURE-----