A Laravel package to manage security.txt files with automatic updates and configurable expiration. Fetches a template from a remote URL, replaces placeholders with dynamic values, and serves the file at /.well-known/security.txt.
Install the package via Composer:
composer require statikbe/laravel-security-txtPublish the configuration file:
php artisan vendor:publish --tag="security-txt-config"The published configuration file (config/security-txt.php) contains the following options:
return [
// Enable/disable the /.well-known/security.txt route
'enabled' => env('SECURITY_TXT_ENABLED', true),
// Remote URL to fetch the template from
'template_url' => env('SECURITY_TXT_TEMPLATE_URL'),
// Days until expiration (default: 365)
'expires_days' => env('SECURITY_TXT_EXPIRES_DAYS', 365),
// Where to store the generated file
'output_path' => storage_path('security.txt'),
// Placeholder mappings
'placeholders' => [
'CONTACT_EMAIL' => 'security@example.com',
'PGP_KEY_URL' => fn() => config('app.url') . '/pgp-key.txt',
],
// Middleware for the route
'middleware' => ['web'],
];| Variable | Description | Default |
|---|---|---|
SECURITY_TXT_ENABLED |
Enable/disable the route | true |
SECURITY_TXT_TEMPLATE_URL |
URL to fetch template from | null |
SECURITY_TXT_EXPIRES_DAYS |
Days until expiration | 365 |
Create a security.txt template file and host it somewhere accessible (e.g., GitHub raw file, internal server). Use {{PLACEHOLDER_NAME}} syntax for dynamic values.
Contact: mailto:{{CONTACT_EMAIL}}
Expires: {{EXPIRES}}
Encryption: {{PGP_KEY_URL}}
Preferred-Languages: en
Host this file and set the URL in your published configuration file.
An example template is included in the package at stubs/security.txt.template.
| Placeholder | Description |
|---|---|
{{EXPIRES}} |
Auto-calculated expiration date in ISO 8601 format |
Define custom placeholders in the config file. Values can be strings or callables:
'placeholders' => [
'CONTACT_EMAIL' => 'security@example.com',
'PGP_KEY_URL' => fn () => config('app.url') . '/pgp-key.txt',
'CANONICAL_URL' => fn () => config('app.url') . '/.well-known/security.txt',
],Run the Artisan command to fetch the template and generate the security.txt file:
php artisan security-txt:updateOverride the expiration days:
php artisan security-txt:update --expires-days=30Add the command to your routes/console.php to keep the file updated:
use Illuminate\Support\Facades\Schedule;
Schedule::command('security-txt:update')->weekly();Once generated, the file is served at:
https://your-domain.com/.well-known/security.txt
The package validates generated files against RFC 9116 requirements:
- Contact field is required
- Expires field is required
If validation fails, the file will not be written and an error will be logged.
The command handles errors gracefully:
- If the template URL is unreachable, an error is logged and the existing file (if any) is preserved
- If validation fails, errors are displayed and the file is not written
- All errors are logged via Laravel's logging system
composer testPlease see CHANGELOG for more information on what has changed recently.
The MIT License (MIT). Please see License File for more information.