Implement security.txt feedback

- Serve from a view, nginx is not going to handle this for us.
- Make clear what should be reported to the [email protected]
  and what should be reported to the website working group
- Downgrade security.txt expiration test to a warning instead of a hard
  fail.

Author: Stormheg

.well-known/security.txt

@@ -0,0 +1,27 @@
+{% spaceless %}
+{% comment %}
+This file is served under the well-known URIs
+
+- https://www.djangoproject.com/.well-known/security.txt
+- https://docs.djangoproject.com/.well-known/security.txt
+
+See https://securitytxt.org/ for more information about the security.txt standard.
+{% endcomment %}
+{% endspaceless %}# Hello security researcher!
+# We appreciate your help in keeping Django & djangoproject.com secure.
+
+# Please report security issues that concern this website (djangoproject.com)
+# to the website working group: [email protected]
+# This helps us make sure your report is directed to the right people.
+# You can find guidelines for reporting website security issues here: https://github.com/django/djangoproject.com/blob/main/.github/SECURITY.md
+
+# DO NOT USE [email protected] FOR ISSUES THAT CONCERN THE WEBSITE.
+
+# If your report concerns Django itself (the Python package, not this website), please follow the Django security reporting process:
+Policy: https://www.djangoproject.com/security/
+Contact: https://www.djangoproject.com/security/
+Expires: 2026-12-31T00:00:00.000Z
+Preferred-Languages: en
+
+# If you would like to encrypt your report, you can use the following PGP key:
+Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/AF3516D27D0621171E0CCE25FCB84B8D1D17F80B

djangoproject/templates/well-known/security.txt

@@ -1,8 +1,9 @@
+import re
+import warnings
 from datetime import datetime, timedelta
 from http import HTTPStatus
 from io import StringIO
 
-from django.conf import settings
 from django.core.management import call_command
 from django.test import TestCase
 from django.urls import NoReverseMatch, get_resolver
@@ -168,38 +169,37 @@ def test_single_h1_per_page(self):
                     self.assertContains(response, "<h1", count=1)
 
 
-class SecurityTxtFileTests(TestCase):
+class SecurityTxtTests(TestCase):
     """
     Tests for the security.txt file.
     """
 
-    def test_security_txt_not_expired(self):
+    def test_security_txt(self):
         """
-        The security.txt file should not be expired.
+        The security.txt file should be reachable at the expected URL.
         """
-        FILE_PATH = settings.BASE_DIR / ".well-known" / "security.txt"
-        with open(FILE_PATH) as f:
-            content = f.read()
-            # Read the line that starts with "Expires:", and parse the date.
-            for line in content.splitlines():
-                if line.startswith("Expires:"):
-                    expires = line.strip("Expires: ")
-                    break
-            else:
-                self.fail("No Expires line found in security.txt")
-
-            expires_date = datetime.strptime(
-                expires,
-                "%Y-%m-%dT%H:%M:%S.%fZ",
-            ).date()
-            # We should ideally be two weeks early with updating - active over reactive
-            cutoff = (datetime.now() - timedelta(days=15)).date()
-            self.assertGreater(
-                expires_date,
-                cutoff,
-                "The security.txt file is close to expiring. \
-Please update the 'Expires' line in to confirm the contents are \
-still accurate: {}".format(
-                    FILE_PATH
-                ),
+        response = self.client.get("/.well-known/security.txt")
+        self.assertEqual(response.status_code, HTTPStatus.OK)
+        self.assertEqual(response["Content-Type"], "text/plain")
+        self.assertTrue("public" in response["Cache-Control"])
+
+        match = re.search(
+            "^Expires: (.*)$", response.content.decode("utf-8"), flags=re.MULTILINE
+        )
+        if match is None:
+            self.fail("No Expires line found in security.txt")
+        else:
+            expires = match[1]
+
+        expires_date = datetime.strptime(
+            expires,
+            "%Y-%m-%dT%H:%M:%S.%fZ",
+        ).date()
+
+        if expires_date < datetime.now().date() - timedelta(days=15):
+            warnings.warn(
+                "The djangoproject/templates/well-known/security.txt file is"
+                " close to expiring. Please update the 'Expires' line to confirm"
+                " the contents are still accurate.",
+                category=UserWarning,
             )

djangoproject/tests.py

@@ -3,6 +3,8 @@
 from django.contrib.sitemaps.views import sitemap
 from django.http import HttpResponse
 from django.urls import include, path
+from django.views.decorators.cache import cache_control
+from django.views.generic import TemplateView
 
 from docs.models import DocumentRelease
 from docs.sitemaps import DocsSitemap
@@ -55,6 +57,14 @@ def __setitem__(key, value):
             "google-site-verification: google79eabba6bf6fd6d3.html"
         ),
     ),
+    path(
+        ".well-known/security.txt",
+        cache_control(max_age=60 * 60 * 24, public=True)(
+            TemplateView.as_view(
+                template_name="well-known/security.txt", content_type="text/plain"
+            )
+        ),
+    ),
     # This just exists to make sure we can proof that the error pages work
     # under both hostnames.
     path("", include("legacy.urls")),

djangoproject/urls/docs.py

@@ -5,7 +5,7 @@
 from django.contrib.flatpages.sitemaps import FlatPageSitemap
 from django.contrib.sitemaps import views as sitemap_views
 from django.urls import include, path, re_path
-from django.views.decorators.cache import cache_page
+from django.views.decorators.cache import cache_control, cache_page
 from django.views.generic import RedirectView, TemplateView
 from django.views.static import serve
 
@@ -136,6 +136,14 @@
         cache_page(60 * 60 * 6)(sitemap_views.sitemap),
         {"sitemaps": sitemaps},
     ),
+    path(
+        ".well-known/security.txt",
+        cache_control(max_age=60 * 60 * 24, public=True)(
+            TemplateView.as_view(
+                template_name="well-known/security.txt", content_type="text/plain"
+            )
+        ),
+    ),
     path("weblog/", include("blog.urls")),
     path("download/", include("releases.urls")),
     path("svntogit/", include("svntogit.urls")),

djangoproject/urls/www.py

@@ -1,3 +1,6 @@
+import re
+import warnings
+from datetime import datetime, timedelta
 from http import HTTPStatus
 
 from django.contrib.sites.models import Site
@@ -268,3 +271,39 @@ def test_sitemap_404(self):
         self.assertEqual(
             response.context["exception"], "No sitemap available for section: 'xx'"
         )
+
+
+class SecurityTxtTests(TestCase):
+    """
+    Tests for the security.txt file.
+    """
+
+    def test_security_txt(self):
+        """
+        The security.txt file should be reachable at the expected URL.
+        """
+        response = self.client.get("/.well-known/security.txt")
+        self.assertEqual(response.status_code, HTTPStatus.OK)
+        self.assertEqual(response["Content-Type"], "text/plain")
+        self.assertTrue("public" in response["Cache-Control"])
+
+        match = re.search(
+            "^Expires: (.*)$", response.content.decode("utf-8"), flags=re.MULTILINE
+        )
+        if match is None:
+            self.fail("No Expires line found in security.txt")
+        else:
+            expires = match[1]
+
+        expires_date = datetime.strptime(
+            expires,
+            "%Y-%m-%dT%H:%M:%S.%fZ",
+        ).date()
+
+        if expires_date < datetime.now().date() - timedelta(days=15):
+            warnings.warn(
+                "The djangoproject/templates/well-known/security.txt file is"
+                " close to expiring. Please update the 'Expires' line to confirm"
+                " the contents are still accurate.",
+                category=UserWarning,
+            )