Add RFC 9116 compliant security.txt endpoint

- Implement /.well-known/security.txt endpoint for security vulnerability reporting - Add SECURITY_CONTACT environment variable support - Include proper HTTP headers (Content-Type, Cache-Control) - Set automatic expiration date and preferred languages - Add comprehensive security policy information - Update .env.example with SECURITY_CONTACT variable - Document security.txt endpoint in README.md with usage examples - Follow RFC 9116 standard for responsible disclosure
2025-09-30 19:28:29 +02:00
parent 2402afff13
commit 2dcfb8e2ee
3 changed files with 48 additions and 0 deletions
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -28,6 +28,31 @@ app.get("/api/legal-config", async (c) => {
  }
 });

+// Security.txt endpoint (RFC 9116)
+app.get("/.well-known/security.txt", (c) => {
+  const securityContact = process.env.SECURITY_CONTACT || "security@example.com";
+  const securityText = `Contact: ${securityContact}
+Expires: 2025-12-31T23:59:59.000Z
+Preferred-Languages: de, en
+Canonical: https://${process.env.DOMAIN || 'localhost:5173'}/.well-known/security.txt
+
+# Security Policy
+# Please report security vulnerabilities responsibly by contacting us via email.
+# We will respond to security reports within 48 hours.
+# 
+# Scope: This security policy applies to the Stargirlnails booking system.
+# 
+# Rewards: We appreciate security researchers who help us improve our security.
+# While we don't have a formal bug bounty program, we may offer recognition
+# for significant security improvements.
+`;
+
+  return c.text(securityText, 200, {
+    "Content-Type": "text/plain; charset=utf-8",
+    "Cache-Control": "public, max-age=86400", // Cache for 24 hours
+  });
+});
+
 app.route("/rpc", rpcApp);
 app.get("/*", clientEntry);