iRule to serve security.txt file - RFC 9116

One week ago, on 27. April 2022, the IETF has published RFC 9116 describing the security.txt file. The purpose of this file is to aid in responsible disclosure, a process that allows security researchers to safely report vulnerabilities.

The file should be either placed in the document root or in the /.well-known folder of a webserver and it should contain information on the site owners vulnerability disclosure process.
Further details about formatting and the mandatory and optional information can be found here: 
https://www.rfc-editor.org/rfc/rfc9116

Without automation - adding this text file to every webserver can be time consuming, even in small environments. The below iRule can be used to serve the file from the BIG-IP.

when HTTP_REQUEST {
    if {  [string tolower [HTTP::path]] equals "/.well-known/security.txt" } {
        HTTP::respond 200 content "
            # Our security address
            Contact: mailto:security@example.com

            # Our OpenPGP key
            Encryption: https://example.com/pgp-key.txt

            # Our security policy
            Policy: https://example.com/security-policy.html

            # Our security acknowledgments page
            Acknowledgments: https://example.com/hall-of-fame.html

            Expires: 2021-12-31T18:37:07z"
    }
}

Note: The RFC mentions the process of PGP signing the security.txt file. I guess this can be done with iRulesLX, however - I didn't have time yet to figure out the details about if and how it can be done. If anyone is faster or more knowledgeable than me with iRulesLX - the stage is yours.

 

Updated Jan 14, 2023
Version 2.0
application delivery
security

Was this article helpful?

6 Comments

Sort By
  • Juergen_Mang's avatar
    Juergen_Mang
    Icon for MVP rankMVP
    Jan 04, 2023

    Small error:

    if {  [string tolower [HTTP::path]] equals ".well-known/security.txt" } {

     I think it should be:

    if {  [string tolower [HTTP::path]] equals "/.well-known/security.txt" } {
  • ElDuderino's avatar
    ElDuderino
    Icon for Nimbostratus rankNimbostratus
    May 07, 2022

    No idea about the details of iRulesLX. But it seems way to much overhead to call something external just to serve some text.

    Signing the file with the "clearsign" option as recommended is nothing more then a plain text readable file in this case, plus the signature and PGP headers.

    All you do is the following. The --default-key option is only needed, in case you have multiple keys.

    gpg --clearsign --default-key security@example.com security.txt

     This will generate a security.txt.asc file. Then you paste that content in your iRule.

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# Our security address
Contact: mailto:security@example.com

# Our OpenPGP key
Encryption: https://example.com/pgp-key.txt

# Our security policy
Policy: https://example.com/security-policy.html

# Our security acknowledgments page
Acknowledgments: https://example.com/hall-of-fame.html

Expires: 2021-12-31T18:37:07z"

-----BEGIN PGP SIGNATURE-----

iIcEARYKAC8WIQSulmNYqOEvaLEXuXBhVhukMyqDOwUCYnZbLBEcdGhlZHVkZUBt
YXJjby5tcwAKCRBhVhukMyqDO7BKAP9fRJXm7xBW8DgvBurYlQtkl0ROc23gONpf
eeZupn3JxAD/YXNnZaC33dcHh7c7W22QK673XFtY7DmKpT7wUXCtlQs=
=3hMe
-----END PGP SIGNATURE-----

    I heard F5 is also bit in the nginx business. 🙂
    The open source enthusiasts will love to serve simple static content directly from the configuration. Here is a quick example.

    Create a simple nginx config file like security.txt.conf with the following content.

    server {
    server_name localhost;
    listen 80;

    location / {
        types {}
        default_type text/html;

        return 200 '
        <html><body><br>
        -----BEGIN PGP SIGNED MESSAGE-----<br>
        Hash: SHA512<br>
        <br>
        # Our security address<br>
        Contact: mailto:security@example.com<br>
        <br>
        # Our OpenPGP key<br>
        Encryption: https://example.com/pgp-key.txt<br>
        <br>
        # Our security policy<br>
        Policy: https://example.com/security-policy.html<br>
        <br>
        # Our security acknowledgments page<br>
        Acknowledgments: https://example.com/hall-of-fame.html<br>
        <br>
        Expires: 2021-12-31T18:37:07z"<br>
        <br>
        -----BEGIN PGP SIGNATURE-----<br>
        <br>
        iIcEARYKAC8WIQSulmNYqOEvaLEXuXBhVhukMyqDOwUCYnZbLBEcdGhlZHVkZUBt<br>
        YXJjby5tcwAKCRBhVhukMyqDO7BKAP9fRJXm7xBW8DgvBurYlQtkl0ROc23gONpf<br>
        eeZupn3JxAD/YXNnZaC33dcHh7c7W22QK673XFtY7DmKpT7wUXCtlQs=<br>
        =3hMe<br>
        -----END PGP SIGNATURE-----<br>
        </body></html>
        ';
    }
}

    Now lets fire up a container to see what we get.

    docker run -it --rm --name nginxsecuritytxt -p 8080:80 -v $PWD/security.txt.conf:/etc/nginx/conf.d/default.conf nginx

    Lets browse the page in the terminal.

    lynx -collapse_br_tags=0 -trim_blank_lines=0 -nomargins=1 -dump http://localhost:8080/

    You should see something like this.

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# Our security address
Contact: mailto:security@example.com

# Our OpenPGP key
Encryption: https://example.com/pgp-key.txt

# Our security policy
Policy: https://example.com/security-policy.html

# Our security acknowledgments page
Acknowledgments: https://example.com/hall-of-fame.html

Expires: 2021-12-31T18:37:07z"

-----BEGIN PGP SIGNATURE-----

iIcEARYKAC8WIQSulmNYqOEvaLEXuXBhVhukMyqDOwUCYnZbLBEcdGhlZHVkZUBt
YXJjby5tcwAKCRBhVhukMyqDO7BKAP9fRJXm7xBW8DgvBurYlQtkl0ROc23gONpf
eeZupn3JxAD/YXNnZaC33dcHh7c7W22QK673XFtY7DmKpT7wUXCtlQs=
=3hMe
-----END PGP SIGNATURE-----

     

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    May 08, 2022

    Hi ElDuderino,

    probably you are right. To serve the site with the help of iRulesLX is pretty over-engineered and also too expensive on the CPU. I had it in mind for a situation when you want to serve the file for multiple domains with different PGP signatures per each domain. However... maybe even in such case a static solution would perform better.

    AWESOME that you provided a solution for NGINX.

    KR
    Daniel

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    May 09, 2022

    could create an ifile for each, signing them as mentioned by ElDuderino before uploading, then switching based on host. ifiles can be automated with icontrol rest, so that could be a cron job or a web hook.