Add .well-known/security.txt file #2062
Conversation
djangoproject/tests.py
Outdated
| "The security.txt file is close to expiring. \ | ||
| Please update the 'Expires' line in to confirm the contents are \ | ||
| still accurate: {}".format( | ||
| FILE_PATH | ||
| ), |
There was a problem hiding this comment.
'E501 line too long' is set up in this project (one that I generally disable) – any suggestions on how to clean this up?
There was a problem hiding this comment.
You could build the string outside of the assert method or shorten the message.
Is a test needed for this though? How about a calendar reminder? It seems like one day this will start failing the test suite on every PR/commit.
There was a problem hiding this comment.
Fair point @adamzap – I've downgraded this to a warning instead of a hard fail. This is is still fairly visible and does not rely on someone keeping on track of calendar event.
How does this sit with you?
There was a problem hiding this comment.
Thanks for working on this Storm! 🎸
I've left a few minor stylistic comments inline, but I've also got some more general questions:
- I originally said that we could use an nginx config to link to the file, but after thinking about it some more I realized that it's going to be more complicated than I'd initially thought, because the
security.txtis located inside the container. So I think a dedicated view is probably going to be better here. - Does the file need to be served under all subdomains (
www,docs,code,dashboard), or only some of them? - As Adam noted, I'm not sure a failing test is the right type of warning for this (though I appreciate that you thought about emitting a warning at all, that's good forward thinking). Did you explore other types of warnings for this and if so, could you walk us through what made you pick a test? On the top of my head, this could also potentially be a system check, a management command that we'd run regularly on the production server, or maybe even some kind of scheduled github action (I know django/django has some of those for example).
- edit: Oh, and also I think the folder should be named
well-known: we don't need it to be hidden.
I'm happy to brainstorm or chat through things on Discord, or even on a call if you'd prefer. Just let me know.
.well-known/security.txt
Outdated
| Policy: https://www.djangoproject.com/security/ | ||
| Contact: https://www.djangoproject.com/security/ | ||
| Expires: 2026-12-31T00:00:00.000Z | ||
| Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/AF3516D27D0621171E0CCE25FCB84B8D1D17F80B |
There was a problem hiding this comment.
For the sake of a future maintainer, it would be nice to document where one could find a link to the most up-to-date key. I was going to suggest a comment above this line, but I'm not sure if that's the best place for such documentation 🤔 (happy to hear other suggestions)
There was a problem hiding this comment.
I don't think this file might be a good place for putting that comment, since this file is targetted more towards people who want to report a security issue. It should ideally be there somewhere in a readme for contributors and maintainers. Maybe SECURITY.md (which I am planning on adding)?
There was a problem hiding this comment.
Sounds like something worthy of enabling the repo wiki for?
There was a problem hiding this comment.
Since this is now a Django template, we could use a Django template comment so the comment only appears in source code. How does that sound?
.well-known/security.txt
Outdated
|
|
||
| # Hello security researcher! | ||
| # We appreciate your help in keeping Django secure. | ||
| # Please report security issues that concern the Django website (djangoproject.com) to ops@djangoproject.com |
There was a problem hiding this comment.
This seems to contradict the Policy and Contact directives above which state that one should email security@djangoproject.com.
There was a problem hiding this comment.
I think we could change this with the website WG email: website-wg@djangoproject.com to keep the security issues for Django itself separated for the fellows, but the security page need a new line somewhere to mention that security issues related to the website are supposed to be send to this email instead.
There was a problem hiding this comment.
Thanks, I've changed the wording in the file to make clear what should be reported where.
There was a problem hiding this comment.
Looks good, thank you @Stormheg ! I added one comment for a small change, including the security page.
.well-known/security.txt
Outdated
|
|
||
| # Hello security researcher! | ||
| # We appreciate your help in keeping Django secure. | ||
| # Please report security issues that concern the Django website (djangoproject.com) to ops@djangoproject.com |
There was a problem hiding this comment.
I think we could change this with the website WG email: website-wg@djangoproject.com to keep the security issues for Django itself separated for the fellows, but the security page need a new line somewhere to mention that security issues related to the website are supposed to be send to this email instead.
|
Thanks for the reviews so far all 👍 I'm going to rework the contents based on #2086
Alright, will move it into a view.
I'd say the file specifically relates to the security of the application running on that domain, so the answer would be: probably, yes. I'm not sure what the architecture is behind the different subdomains, but if they are all served from this repository we can serve the same file for all of them.
@bmispelon @adamzap regarding the test case, I was looking for something that is visible and explicit and this is the first thing I came up with. I did not put in any more thought in it than that. What warning mechanism would you prefer to see instead?
Good catch, lol. I have hidden folders enabled on my mac and forgot that's a convention. |
bf13b2c to
0162422
Compare
- Serve from a view, nginx is not going to handle this for us. - Make clear what should be reported to the security@djangoproject.com and what should be reported to the website working group - Downgrade security.txt expiration test to a warning instead of a hard fail.
0162422 to
318757e
Compare
There was a problem hiding this comment.
@bmispelon @adamzap @sabderemane I've updated the PR with your feedback - thank you
| # Please report security issues that concern this website (djangoproject.com) | ||
| # to the website working group: website-wg@djangoproject.com | ||
| # This helps us make sure your report is directed to the right people. | ||
| # You can find guidelines for reporting website security issues here: https://github.com/django/djangoproject.com/blob/main/.github/SECURITY.md |
There was a problem hiding this comment.
Note: this url doesn't exist yet. Assumes #2086 is merged.
This is a PR for an action I took as member of the Website working group, see meeting notes here: https://forum.djangoproject.com/t/website-team-meeting-notes/40655
I spoke with @bmispelon yesterday during Wagtail Office Hours and he mentioned we can serve static files like this through a nginx rule which are controlled by the ops team. We apparently already do this for other 'static' content files. This has yet to be set up.
I chose to put this in a .well-known folder in the project root for visibility.
Consider the contents of the security.txt file an initial draft and open to discussion.