Merge pull request #4088 from alphagov/security-policy

Add security policy page

app/main/__init__.py

@@ -33,6 +33,7 @@ from app.main.views import (  # noqa isort:skip
     providers,
     register,
     returned_letters,
+    security_policy,
     send,
     service_settings,
     sign_in,

app/main/views/security_policy.py

@@ -0,0 +1,11 @@
+from flask import redirect
+
+from app.main import main
+
+
+@main.route('/.well-known/security.txt', methods=['GET'])
+@main.route('/security.txt', methods=['GET'])
+def security_policy():
+    # See GDS Way security policy which this implements
+    # https://gds-way.cloudapps.digital/standards/vulnerability-disclosure.html#vulnerability-disclosure-and-security-txt
+    return redirect("https://vdp.cabinetoffice.gov.uk/.well-known/security.txt")

tests/app/main/views/test_security_policy.py

@@ -0,0 +1,13 @@
+import pytest
+
+
+@pytest.mark.parametrize('url', [
+    '/security.txt',
+    '/.well-known/security.txt',
+])
+def test_security_policy_redirects_to_policy(client_request, url):
+    client_request.get_url(
+        url,
+        _expected_status=302,
+        _expected_redirect="https://vdp.cabinetoffice.gov.uk/.well-known/security.txt",
+    )

tests/app/test_navigation.py

@@ -212,6 +212,7 @@ EXCLUDED_ENDPOINTS = tuple(map(Navigation.get_endpoint_with_blueprint, {
     'roadmap',
     'save_contact_list',
     'security',
+    'security_policy',
     'send_files_by_email',
     'send_files_by_email_contact_details',
     'send_from_contact_list',