Whenever you set up a project or if you are a big company: You should host a file .well-known/security.txt so others can contact you in case of incidents or security reports. Here is what it is about and how we implemented it using JBake in Apache Shiro‘s site.
What is a .well-known/security.txt?
Brian has an excellent primer on this file. If you haven't read it yet, please do!
Creating a template
The first thing you need for jbake is a template. There is not much to see here, as we render a text file. Each line gets a well-known prefix (think: a key) and a value to this key.
One thing to note is the exipry date field. The information in this file will expire in one year after creation using jbake. This means, if you do not re-create your static site using jbake within one year, your security.txt will become invalid (which is intended!).
Registering the template and its file type
Second step, register the new template and add its extension to jbake.properties, so it actually renders as a text file.
template.securitytxt.file=securitytxt.ftl template.securitytxt.extension=.txt
Content file: security
Already the last step: Create a content file in content/.well-known/security.adoc which basically just fills in the parameters we defined:
Done! This will now render like so:
