Security.txt toolbox for your Ruby app

微信扫一扫,分享到朋友圈

Security.txt toolbox for your Ruby app

What is security.txt?

Security is all about tradeoffs. We all know we should be doing something about it in our application, yet, so few of us do. Strangely enough one of the higher impacting things you can do on that topic is not even technical: Providing a security contact page.

Creating and broadcasting a security page is an excellent way to get you started on the path to managing your application security. While writing such a security page is not that easy (we will cover that in a future article), the bigger bottleneck was to make this page easily accessible to the people that matter.

Until recently this was left to your own discretion. Developers would generally put a simple link in the footer of their website or the company about page. Others wouldn’t disclose any link to it but just have a page available at /security
. We have even seen some developers burying that page in their website thus defeating the whole point of having a security page in the first place.

Enter the security.txt
proposed standard. This standard created by a bunch of application security enthusiasts
aims to help with this. This file placed in a known location ( /.well-known/security.txt
) is a way for you to publish the very essence of your policy and give a point of contact. It also enables you to refer people to your existing security page for further information.

The format of the file is highly inspired by the very well known robots.txt file. Here is an example:

Contact: security@sqreen.io
Policy: https://www.sqreen.io/security

The community seemed to very much like this new standard and it seems to be

getting traction from plenty of places in the industry
. Some tooling
around it is already available in Go, PHP, and Node.

Security.txt for Ruby

We are also pleased to announce tools for Ruby
, a language dear to many aSqreen.io customers but also to yours truly. The gem ‘securitytxt’ includes a dedicated Rails engine, a Rack middleware, and a simple generator and parser.

Installation

Add this line to your application’s Gemfile:

gem 'securitytxt'

And then execute:

$ bundle

Using the Rails engine

Create an initializer with the policy you want to set:

# config/initializers/securitytxt.rb
SecurityTxt.contact = "me@organization.com"
SecurityTxt.encryption = "https://www.mykey.com/pgp-key.txt"

Using the Rack middleware

Add the middleware to your chain in your config.ru

require 'securitytxt'

policy = {
"contact" => "me@organization.com",
"encryption" => "https://www.mykey.com/pgp-key.txt"
}
use SecurityTxt::Middleware, policy

Parsing a Security.txt

Simply passing a string should be enough to get data back

require "securitytxt/parser"
require "open-uri"
SecurityTxt::Parser.new.parse(open("https://securitytxt.org/.well-known/security.txt").read)
# Outputs {"contact"=>"https://hackerone.com/ed", "encryption"=>"https://keybase.pub/edoverflow/pgp_key.asc", "acknowledgements"=>"https://hackerone.com/ed/thanks"}

Generating a Security.txt

require 'securitytxt/generator'
puts SecurityTxt::Generator.new({"contact"=>"https://hackerone.com/ed", "encryption"=>"https://keybase.pub/edoverflow/pgp_key.asc", "acknowledgements"=>"https://hackerone.com/ed/thanks"}).generate
# Outputs
#
# Contact: https://hackerone.com/ed
# Encryption: https://keybase.pub/edoverflow/pgp_key.asc
# Acknowledgements: https://hackerone.com/ed/thanks

Start adding your security.txt today on your applications. It’s easy and will ease any future responsible disclosure on your website. Interested in learning how to protect your Ruby on Rails app against injections? Check outthis articlewe wrote.

微信扫一扫,分享到朋友圈

Security.txt toolbox for your Ruby app

你追我赶的新东方好未来最新投资版图,两家重复投资了谁?

上一篇

Tim Cook says users will be able to turn off iPhone battery performance throttling in futur...

下一篇

你也可能喜欢

Security.txt toolbox for your Ruby app

长按储存图像,分享给朋友