To main content

.well-known/security.txt mit JBake

Published by Benjamin Marwell on

Whenever you set up a project or if you are a big company: You should host a file .well-known/security.txt so others can contact you in case of incidents or security reports. Here is what it is about and how we implemented it using JBake in Apache Shiro‘s site.

What is a .well-known/security.txt?

Brian has an excellent primer on this file. If you haven't read it yet, please do!

Creating a template

The first thing you need for jbake is a template. There is not much to see here, as we render a text file. Each line gets a well-known prefix (think: a key) and a value to this key.

One thing to note is the exipry date field. The information in this file will expire in one year after creation using jbake. This means, if you do not re-create your static site using jbake within one year, your security.txt will become invalid (which is intended!).

Registering the template and its file type

Second step, register the new template and add its extension to, so it actually renders as a text file.


Content file: security

Already the last step: Create a content file in content/.well-known/security.adoc which basically just fills in the parameters we defined:

Done! This will now render like so:

Screenshot from a browser and a terminal. Both show the output of http://localhost:8820/.well-known/security.txt from jbake.
.well-known/security.txt [jbake]