Add redirects to central security.txt

[OllieJC]

As per guidance on the gds-way about security.txt and vulnerability disclosure, this PR adds a couple of HTML files (and a _config.yml file enabling the .well-known directory) that redirect to the Cabinet Office central security.txt: https://github.com/alphagov/security.txt

You can see the redirects in action on GitHub Pages in my fork here:

• https://olliejc.github.io/api-catalogue/.well-known/security.txt
• https://olliejc.github.io/api-catalogue/security.txt

Here's a testing site about security.txt files on GitHub Pages too: https://gh-pages-securitytxt.github.io/

[jamietanna]

Thanks for contributing 🙌

Just need to validate this locally

[jamietanna]

Hey @OllieJC did you check this locally? I'm seeing that this isn't redirecting properly locally - whereas it does when you are deploying to GH pages.

Thinking about it the _config.yml is a Jekyll file, not a Middleman file, so could be that's why it's working on your site? But that can't be right, as some of the site has built successfully from Middleman code 🤔

[jamietanna]

I'm currently looking at attempting to use redirect in Middleman, and spotted alphagov/tech-docs-gem#256

[jamietanna]

Hey @OllieJC, as per alphagov/tech-docs-gem#256 (comment) I've managed to get this working through pure Middleman redirects - are you happy if I amend your branch with the changes?

Again, thanks for raising this 🙌

[OllieJC]

Hi @jamietanna, sure give it a go! I have a feeling it might not work when deployed to GitHub Pages because it is very basic hosting that doesn't allow mime type changes etc.
I found a good way to test the built files locally was running:

bundle exec middleman build
cd build/
python3 -m http.server

..and navigating to http://localhost:8000

[OllieJC]

Although, I think Middleman just creates those same HTML pages, right? If so, yeah it should work! I'll try it in my branch and recommit :)

[jamietanna]

Thanks! Yeah I think I've narrowed it down to needing the below to cover both cases:

# required for local
page "/security.txt", content_type: 'text/html'
redirect 'security.txt', to: 'https://security-redirect.example.com/.well-known/security.txt'
# required for hosting
redirect 'security.txt.html', to: 'https://security-redirect.example.com/.well-known/security.txt'

[OllieJC]

So those security.txt.html files don't work with gh-pages, I've instead done:

redirect "security.txt/index.html", to: "https://security-redirect.example.com/.well-known/security.txt"
redirect ".well-known/security.txt/index.html", to: "https://security-redirect.example.com/.well-known/security.txt"

Which works locally and on gh-pages :)

Edit: changed ' to " for linting

[jamietanna]

Thanks for contributing, and sorry it was a bit all over the place 😁

[jamietanna]

Just double checked and it's all working 🙌