From e4a386074cbab9fd89db1bd378b6c8eb55f518bc Mon Sep 17 00:00:00 2001 From: Alex Coleman Date: Thu, 12 Sep 2024 14:20:51 +0100 Subject: [PATCH] GH-157: Document vulnerability disclosure mechanism --- schemes/views/legal.py | 7 ++++++- schemes/views/templates/legal/security.txt | 3 +++ tests/integration/test_legal.py | 5 +++++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 schemes/views/templates/legal/security.txt diff --git a/schemes/views/legal.py b/schemes/views/legal.py index 28c5a86..c2a9734 100644 --- a/schemes/views/legal.py +++ b/schemes/views/legal.py @@ -1,4 +1,4 @@ -from flask import Blueprint, render_template +from flask import Blueprint, Response, render_template, send_from_directory from schemes.views.auth.basic import basic_auth @@ -21,3 +21,8 @@ def accessibility() -> str: @basic_auth def cookies() -> str: return render_template("legal/cookies.html") + + +@bp.get("/.well-known/security.txt") +def security() -> Response: + return send_from_directory(directory="views/templates/legal", path="security.txt") diff --git a/schemes/views/templates/legal/security.txt b/schemes/views/templates/legal/security.txt new file mode 100644 index 0000000..7f0e122 --- /dev/null +++ b/schemes/views/templates/legal/security.txt @@ -0,0 +1,3 @@ +Contact: https://vulnerability-reporting.service.security.gov.uk/ + +Expires: 2025-01-31T00:00:00Z diff --git a/tests/integration/test_legal.py b/tests/integration/test_legal.py index aef8315..bcb89f5 100644 --- a/tests/integration/test_legal.py +++ b/tests/integration/test_legal.py @@ -24,3 +24,8 @@ def test_cookies(self, client: FlaskClient) -> None: assert cookies_page.is_visible assert cookies_page.title == "Cookies - Update your capital schemes - Active Travel England - GOV.UK" + + def test_security(self, client: FlaskClient) -> None: + response = client.get("/.well-known/security.txt") + + assert response.status_code == 200 and response.content_type == "text/plain; charset=utf-8"