Serve security.txt

Author: isoos

app/lib/frontend/handlers/misc.dart

@@ -31,6 +31,18 @@ import 'cache_control.dart';
 
 final _log = Logger('pub.handlers.misc');
 
+/// Handles requests for /.well-known/security.txt
+Future<shelf.Response> wellKnownSecurityTxtHandler(
+    shelf.Request request) async {
+  final expiresDate =
+      clock.now().add(Duration(days: 31)).toIso8601String().split('T').first;
+  final content = 'Contact: https://goo.gl/vulnz\n'
+      'Policy: https://pub.dev/security\n'
+      'Preferred-Languages: en\n'
+      'Expires: ${expiresDate}T00:00:00z\n';
+  return shelf.Response.ok(content);
+}
+
 /// Handles requests for /help
 /// Handles requests for /help/<article>
 Future<shelf.Response> helpPageHandler(

app/lib/frontend/handlers/routes.dart

@@ -309,6 +309,11 @@ class PubSiteService {
   Future<Response> experimental(Request request) =>
       experimentalHandler(request);
 
+  /// Renders the /.well-known/security.txt page
+  @Route.get('/.well-known/security.txt')
+  Future<Response> wellKnownSecurityTxt(Request request) =>
+      wellKnownSecurityTxtHandler(request);
+
   // ****
   // **** Account, authentication and user administration
   // ****

app/lib/frontend/handlers/routes.g.dart

@@ -28,6 +28,7 @@ class PublicPagesScript {
       await _atomFeed();
       await _searchPage();
       await _sitemaps();
+      await _wellKnownFiles();
       await _customApis();
       await _badRequest();
     } finally {
@@ -81,6 +82,10 @@ class PublicPagesScript {
     await _pubClient.getContent('/sitemap-2.txt');
   }
 
+  Future<void> _wellKnownFiles() async {
+    await _pubClient.getContent('/.well-known/security.txt');
+  }
+
   Future<void> _customApis() async {
     final packageNames = await _pubClient.apiPackageNames();
     if (!packageNames.contains('retry')) {