Add possibility to create and add a 'security.txt' file for forums

Feature
1

I have not found a possibility to add a security.txt file to our Discourse forums ans was wondering if it would be possible to add that possibility.

It would be great if there’s an option to add this file (which should land in rootwebsite/.well-known/security.txt) and fill in the necessary parameters within Settings > Security for example.

As stated on their website:

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

More can be found here: https://securitytxt.org/

2

The short term solution, if you’re self hosted, is a custom plugin.

But you want a feature. Sorry.

3

I’m a bit confused, mainly because I just can’t understand how Docker works, but…

  • why should security.txt come from Discourse; it is normally quite static and tied up to organization
  • under Docker is Nginx and it should host webserver level things like everything under well-known directory

So I would say short term solution is manual labour with Nginx :stuck_out_tongue_winking_eye:

1 Like
4

I would suggest using a Permalink here for this, e.g.:

image
image1050×414 27.5 KB

○ → curl -i https://meta.discourse.org/.well-known/security.txt
HTTP/2 301 
content-type: text/html; charset=utf-8
location: https://hackerone.com/discourse

(I’ll probably remove it shortly as it’s not really the intended destination, but this means you can put this file anywhere)

6 Likes
5

That’s a good idea!

Create a topic somewhere hidden; make it unlisted; move it somewhere public. Add .json to the copy URL to get the post_id of the OP. Then use that URL in the permalink. Then you can get the URL of the raw text of that post with a URL like /posts/1093/raw (where 1093 is the post_id of your topic.

image
image826×242 12.2 KB

Then https://dashboard.literatecomputing.com/.well-known/security.txt will get you a text URL like (I think) you want. Much easier than mucking with having app.yml muck with nginx settings.

10 Likes
6

Oooohhhh combining with a raw link to just get text is a great hack!

7 Likes