✨(web-presentation) add a security.txt URL

AntoineAugusti · AntoineAugusti · commit 03bd36940559 · 2026-06-05T23:00:25.000+01:00
diff --git a/src/web/config/settings/base.py b/src/web/config/settings/base.py
@@ -187,6 +187,8 @@
 # Default primary key field type
 DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
 
+SECURITY_CONTACT_EMAIL = "ops.csplab@beta.gouv.fr"
+
 # Maximum CV size in cv upload flow
 CV_MAX_SIZE_MB = 5
 
diff --git a/src/web/config/urls.py b/src/web/config/urls.py
@@ -7,9 +7,11 @@
 from presentation.candidate import urls as candidate_urls
 from presentation.ingestion import urls as ingestion_urls
 from presentation.pages import urls as pages_urls
+from presentation.pages.views import security_txt
 from presentation.users import urls as users_urls
 
 urlpatterns: list[URLPattern | URLResolver] = [
+    path(".well-known/security.txt", security_txt),
     path("", include(pages_urls)),
     path("api/", include(api_urls)),
     path("admin/", admin.site.urls),
diff --git a/src/web/presentation/pages/urls.py b/src/web/presentation/pages/urls.py
@@ -8,6 +8,7 @@
     LegalNoticesView,
     PrivacyView,
     TermsView,
+    security_txt,
 )
 
 app_name = "pages"
diff --git a/src/web/presentation/pages/views.py b/src/web/presentation/pages/views.py
@@ -1,3 +1,5 @@
+from django.conf import settings
+from django.http import HttpResponse
 from django.views.generic import TemplateView
 
 
@@ -19,3 +21,8 @@ class PrivacyView(TemplateView):
 
 class LegalNoticesView(TemplateView):
     template_name = "pages/legal_notices.html"
+
+
+def security_txt(request):
+    content = f"Contact: mailto:{settings.SECURITY_CONTACT_EMAIL}\nPreferred-Languages: fr, en\n"
+    return HttpResponse(content, content_type="text/plain; charset=utf-8")
diff --git a/src/web/tests/candidate/presentation/views/test_static_pages_view.py b/src/web/tests/candidate/presentation/views/test_static_pages_view.py
@@ -5,6 +5,22 @@
 from pytest_django.asserts import assertTemplateUsed
 
 
+class TestSecurityTxtView:
+    def test_returns_ok(self, client, db):
+        response = client.get("/.well-known/security.txt")
+        assert response.status_code == HTTPStatus.OK
+
+    def test_content_type(self, client, db):
+        response = client.get("/.well-known/security.txt")
+        assert "text/plain" in response["Content-Type"]
+
+    def test_content(self, client, db):
+        response = client.get("/.well-known/security.txt")
+        content = response.content.decode()
+        assert "Contact: mailto:ops.csplab@beta.gouv.fr" in content
+        assert "Preferred-Languages: fr, en" in content
+
+
 @pytest.mark.parametrize(
     ("url_name", "template_name"),
     [

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`LegalNoticesView,`
`9`	`9`	`PrivacyView,`
`10`	`10`	`TermsView,`
	`11`	`+ security_txt,`
`11`	`12`	`)`
`12`	`13`
`13`	`14`	`app_name = "pages"`