Serve security.txt (#8362)

Author: isoos

app/lib/frontend/handlers/cache_control.dart

@@ -55,6 +55,13 @@ final class CacheControl {
     public: true,
   );
 
+  /// `Cache-Control` headers for API end-points returning slowly changing content,
+  /// without any hash in the URL.
+  static const mostlyStaticApi = CacheControl(
+    maxAge: Duration(hours: 8),
+    public: true,
+  );
+
   /// `Cache-Control` headers for API end-points returning completion data for
   /// use in IDE integrations.
   static const completionData = CacheControl(

app/lib/frontend/handlers/misc.dart

@@ -31,6 +31,21 @@ import 'cache_control.dart';
 
 final _log = Logger('pub.handlers.misc');
 
+/// Handles requests for /.well-known/security.txt
+Future<shelf.Response> wellKnownSecurityTxtHandler(
+    shelf.Request request) async {
+  final expiresDate =
+      clock.now().add(Duration(days: 31)).toIso8601String().split('T').first;
+  final content = 'Contact: https://goo.gl/vulnz\n'
+      'Policy: https://pub.dev/security\n'
+      'Preferred-Languages: en\n'
+      'Expires: ${expiresDate}T00:00:00z\n';
+  return shelf.Response.ok(
+    content,
+    headers: CacheControl.mostlyStaticApi.headers,
+  );
+}
+
 /// Handles requests for /help
 /// Handles requests for /help/<article>
 Future<shelf.Response> helpPageHandler(

app/lib/frontend/handlers/routes.dart

@@ -309,6 +309,11 @@ class PubSiteService {
   Future<Response> experimental(Request request) =>
       experimentalHandler(request);
 
+  /// Renders the /.well-known/security.txt page
+  @Route.get('/.well-known/security.txt')
+  Future<Response> wellKnownSecurityTxt(Request request) =>
+      wellKnownSecurityTxtHandler(request);
+
   // ****
   // **** Account, authentication and user administration
   // ****

app/lib/frontend/handlers/routes.g.dart

@@ -28,6 +28,7 @@ class PublicPagesScript {
       await _atomFeed();
       await _searchPage();
       await _sitemaps();
+      await _wellKnownFiles();
       await _customApis();
       await _badRequest();
     } finally {
@@ -81,6 +82,10 @@ class PublicPagesScript {
     await _pubClient.getContent('/sitemap-2.txt');
   }
 
+  Future<void> _wellKnownFiles() async {
+    await _pubClient.getContent('/.well-known/security.txt');
+  }
+
   Future<void> _customApis() async {
     final packageNames = await _pubClient.apiPackageNames();
     if (!packageNames.contains('retry')) {