From 999ad37b11ffde819a39b000d6fbbbf189db42ea Mon Sep 17 00:00:00 2001
From: psy <psy@cccv.de>
Date: Sun, 21 Apr 2024 11:12:36 +0200
Subject: [PATCH] add security.txt

---
 README.md               | 6 ++++++
 templates/vhost.conf.j2 | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/README.md b/README.md
index 2343708..763e99d 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,12 @@ force_ssl: True
 # generate a self signed certificate as default ssl cert
 snakeoil_default: False
 
+# if set, nginx will render the content at /.well-known/security.txt
+# see https://www.rfc-editor.org/rfc/rfc9116 for valid fields
+security.txt: |
+  Contact: mailto:security@example.com
+  Expires: 2024-04-20T23:42:00.000Z
+
 # install php-fpm, setup a php-handler upstream and copy a php location snippet to include in configs
 # either "False", "True" or a dict *phpconfig*, see below for definition
 php: False
diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2
index 0d5614b..29398ed 100644
--- a/templates/vhost.conf.j2
+++ b/templates/vhost.conf.j2
@@ -113,6 +113,13 @@ server {
 	{% endif %}
 
 
+	{% if nginx.security_txt is defined %}
+	location /.well-known/security.txt {
+		add_header Content-Type text/plain;
+		return 200 "{{ nginx.security_txt | replace('\n', '\\n') }}";
+	}
+	{% endif %}
+
 	{% if vhost.auth.enable %}
 	auth_basic           "restricted area";
 	auth_basic_user_file {{ vhost.auth.path }}; 
-- 
GitLab