From b2b87658995fa2601600c3b6e319f451b2858a2f Mon Sep 17 00:00:00 2001 From: "Storm B. Heg" Date: Thu, 1 May 2025 14:17:59 +0200 Subject: [PATCH 1/3] Add .well-known/security.txt file See https://securitytxt.org/ for more info. --- .well-known/security.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .well-known/security.txt diff --git a/.well-known/security.txt b/.well-known/security.txt new file mode 100644 index 000000000..9d0b5cd07 --- /dev/null +++ b/.well-known/security.txt @@ -0,0 +1,10 @@ +Policy: https://www.djangoproject.com/security/ +Contact: https://www.djangoproject.com/security/ +Expires: 2026-12-31T00:00:00.000Z +Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/AF3516D27D0621171E0CCE25FCB84B8D1D17F80B +Preferred-Languages: en + +# Hello security researcher! +# We appreciate your help in keeping Django secure. +# Please report security issues that concern the Django website (djangoproject.com) to ops@djangoproject.com +# This helps us make sure your report is seen by the right people. From ad8da62e8ea75e36e2ee59eefdfa86e77fb03013 Mon Sep 17 00:00:00 2001 From: "Storm B. Heg" Date: Thu, 1 May 2025 14:42:06 +0200 Subject: [PATCH 2/3] Add test to check security.txt expiration --- djangoproject/tests.py | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/djangoproject/tests.py b/djangoproject/tests.py index a95f0b939..a8b9a296b 100644 --- a/djangoproject/tests.py +++ b/djangoproject/tests.py @@ -1,6 +1,8 @@ +from datetime import datetime, timedelta from http import HTTPStatus from io import StringIO +from django.conf import settings from django.core.management import call_command from django.test import TestCase from django.urls import NoReverseMatch, get_resolver @@ -164,3 +166,40 @@ def test_single_h1_per_page(self): response = self.client.get(url) self.assertEqual(response.status_code, 200) self.assertContains(response, " Date: Sun, 10 Aug 2025 14:13:47 +0200 Subject: [PATCH 3/3] Implement security.txt feedback - Serve from a view, nginx is not going to handle this for us. - Make clear what should be reported to the security@djangoproject.com and what should be reported to the website working group - Downgrade security.txt expiration test to a warning instead of a hard fail. --- .well-known/security.txt | 10 ---- .../templates/well-known/security.txt | 27 ++++++++++ djangoproject/tests.py | 54 +++++++++---------- djangoproject/urls/docs.py | 7 +++ djangoproject/urls/www.py | 6 +++ docs/tests/test_views.py | 35 ++++++++++++ 6 files changed, 100 insertions(+), 39 deletions(-) delete mode 100644 .well-known/security.txt create mode 100644 djangoproject/templates/well-known/security.txt diff --git a/.well-known/security.txt b/.well-known/security.txt deleted file mode 100644 index 9d0b5cd07..000000000 --- a/.well-known/security.txt +++ /dev/null @@ -1,10 +0,0 @@ -Policy: https://www.djangoproject.com/security/ -Contact: https://www.djangoproject.com/security/ -Expires: 2026-12-31T00:00:00.000Z -Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/AF3516D27D0621171E0CCE25FCB84B8D1D17F80B -Preferred-Languages: en - -# Hello security researcher! -# We appreciate your help in keeping Django secure. -# Please report security issues that concern the Django website (djangoproject.com) to ops@djangoproject.com -# This helps us make sure your report is seen by the right people. diff --git a/djangoproject/templates/well-known/security.txt b/djangoproject/templates/well-known/security.txt new file mode 100644 index 000000000..87a01b531 --- /dev/null +++ b/djangoproject/templates/well-known/security.txt @@ -0,0 +1,27 @@ +{% spaceless %} +{% comment %} +This file is served under the well-known URIs + +- https://www.djangoproject.com/.well-known/security.txt +- https://docs.djangoproject.com/.well-known/security.txt + +See https://securitytxt.org/ for more information about the security.txt standard. +{% endcomment %} +{% endspaceless %}# Hello security researcher! +# We appreciate your help in keeping Django & djangoproject.com secure. + +# Please report security issues that concern this website (djangoproject.com) +# to the website working group: website-wg@djangoproject.com +# This helps us make sure your report is directed to the right people. +# You can find guidelines for reporting website security issues here: https://github.com/django/djangoproject.com/blob/main/.github/SECURITY.md + +# DO NOT USE security@djangoproject.com FOR ISSUES THAT CONCERN THE WEBSITE. + +# If your report concerns Django itself (the Python package, not this website), please follow the Django security reporting process: +Policy: https://www.djangoproject.com/security/ +Contact: https://www.djangoproject.com/security/ +Expires: 2026-12-31T00:00:00.000Z +Preferred-Languages: en + +# If you would like to encrypt your report, you can use the following PGP key: +Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/AF3516D27D0621171E0CCE25FCB84B8D1D17F80B diff --git a/djangoproject/tests.py b/djangoproject/tests.py index a8b9a296b..79e941fa5 100644 --- a/djangoproject/tests.py +++ b/djangoproject/tests.py @@ -1,8 +1,9 @@ +import re +import warnings from datetime import datetime, timedelta from http import HTTPStatus from io import StringIO -from django.conf import settings from django.core.management import call_command from django.test import TestCase from django.urls import NoReverseMatch, get_resolver @@ -168,38 +169,33 @@ def test_single_h1_per_page(self): self.assertContains(response, "