From 441229e9e214ca5b17bc4a67af7eb56796971e91 Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Mon, 6 Oct 2025 19:58:21 +0100
Subject: [PATCH] web: Add security.txt

---
 cookbooks/web/recipes/frontend.rb                   |  7 +++++++
 cookbooks/web/templates/default/apache.frontend.erb |  2 ++
 cookbooks/web/templates/default/security.txt.erb    | 10 ++++++++++
 3 files changed, 19 insertions(+)
 create mode 100644 cookbooks/web/templates/default/security.txt.erb

diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb
index c7309b7f3..2ab7d8e9a 100644
--- a/cookbooks/web/recipes/frontend.rb
+++ b/cookbooks/web/recipes/frontend.rb
@@ -53,6 +53,13 @@ remote_directory "#{node[:web][:base_directory]}/static" do
   files_mode "644"
 end
 
+template "#{node[:web][:base_directory]}/static/.well-known/security.txt" do
+  source "security.txt.erb"
+  owner "root"
+  group "root"
+  mode "644"
+end
+
 remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list" do
   source "https://www.cloudflare.com/ips-v4"
   compile_time true
diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index d78fdcdab..85e571947 100644
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -180,6 +180,8 @@ ErrorLog /var/log/apache2/error.log
   Alias /openlayers <%= node[:web][:base_directory] %>/static/openlayers
   Alias /funding.json <%= node[:web][:base_directory] %>/static/funding.json
   Alias /.well-known/funding-manifest-urls <%= node[:web][:base_directory] %>/static/.well-known/funding-manifest-urls
+  Alias /.well-known/security.txt <%= node[:web][:base_directory] %>/static/.well-known/security.txt
+  Alias /security.txt <%= node[:web][:base_directory] %>/static/.well-known/security.txt
   RedirectPermanent /stats https://planet.openstreetmap.org/statistics
 
   #
diff --git a/cookbooks/web/templates/default/security.txt.erb b/cookbooks/web/templates/default/security.txt.erb
new file mode 100644
index 000000000..ae1a64b89
--- /dev/null
+++ b/cookbooks/web/templates/default/security.txt.erb
@@ -0,0 +1,10 @@
+<%
+  require "time"
+  target_date = (Time.now.utc + 28*24*60*60).to_date
+  expires_time = Time.utc(target_date.year, target_date.month, target_date.day, 22, 0, 0)
+%>
+Contact: https://github.com/openstreetmap/operations/blob/master/SECURITY.md
+Expires: <%= expires_time.iso8601 %>
+Preferred-Languages: en
+Policy: https://github.com/openstreetmap/operations/blob/master/SECURITY.md
+Canonical: https://www.openstreetmap.org/.well-known/security.txt
-- 
2.39.5