iRule to serve security.txt file - RFC 9116
One week ago, on 27. April 2022, the IETF has published RFC 9116 describing the security.txt file. The purpose of this file is to aid in responsible disclosure, a process that allows security researchers to safely report vulnerabilities.
The file should be either placed in the document root or in the /.well-known folder of a webserver and it should contain information on the site owners vulnerability disclosure process.
Further details about formatting and the mandatory and optional information can be found here:
https://www.rfc-editor.org/rfc/rfc9116
Without automation - adding this text file to every webserver can be time consuming, even in small environments. The below iRule can be used to serve the file from the BIG-IP.
when HTTP_REQUEST {
if { [string tolower [HTTP::path]] equals "/.well-known/security.txt" } {
HTTP::respond 200 content "
# Our security address
Contact: mailto:security@example.com
# Our OpenPGP key
Encryption: https://example.com/pgp-key.txt
# Our security policy
Policy: https://example.com/security-policy.html
# Our security acknowledgments page
Acknowledgments: https://example.com/hall-of-fame.html
Expires: 2021-12-31T18:37:07z"
}
}
Note: The RFC mentions the process of PGP signing the security.txt file. I guess this can be done with iRulesLX, however - I didn't have time yet to figure out the details about if and how it can be done. If anyone is faster or more knowledgeable than me with iRulesLX - the stage is yours.