Add .well-known/security.txt for RFC 9116 compliance

[mendarb]

Summary

• Adds .well-known/security.txt per RFC 9116 with contact, expiry (1 year), preferred languages, policy link, and canonical URL
• Contact email sourced from existing SECURITY.md

Closes #325

[vercel]

@mendar is attempting to deploy a commit to the Databuddy OSS Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c9d9e335-caa4-47d5-a95c-df2e8a11a376

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds a .well-known/security.txt file at the repository root to implement RFC 9116 compliance, providing a standardised channel for security researchers to report vulnerabilities. The intent is good, but two issues prevent this from working correctly in production.

Key issues found:

• File not served by any web app — The file is placed at the repository root, but all apps in the monorepo serve static assets from their own public/ directories (e.g., apps/dashboard/public/). No deployment pipeline or routing configuration exists to serve the repo-root .well-known/ path, meaning https://databuddy.cc/.well-known/security.txt will return 404 after deployment.
• Incorrect Canonical URL — RFC 9116 §2.5 requires the Canonical field to be the HTTPS URI on the web host where the file is served. The current value (https://github.com/databuddy-analytics/Databuddy/blob/main/.well-known/security.txt) points to the GitHub HTML file viewer — not the live domain — breaking validator and scanner compatibility.
• Policy URL uses GitHub blob viewer — Minor, but pointing to the raw file or a rendered policy page is more tool-friendly.

Confidence Score: 2/5

• Safe to merge as a documentation artefact, but the file will have no real-world effect until the placement and Canonical URL are corrected.
• The two P1 issues together mean the primary goal of this PR — making security.txt accessible to researchers and validators at the canonical domain URL — will not be achieved after merging. The file location needs to move into the serving app's public/ directory, and the Canonical field must be updated to the live domain URL before this provides any RFC 9116 compliance value.
• .well-known/security.txt requires both a path correction (move to apps/<main-app>/public/.well-known/) and a Canonical URL fix before the RFC compliance goal is met.

Important Files Changed

Filename	Overview
.well-known/security.txt	New RFC 9116 security.txt file added at repo root; the Canonical field incorrectly points to the GitHub file viewer instead of the live domain URL, and the file is not placed in any web app's public/ directory, so it will never actually be served.

Sequence Diagram

sequenceDiagram
    participant Researcher as Security Researcher
    participant Domain as databuddy.cc
    participant App as Web App public dir

    Researcher->>Domain: GET /.well-known/security.txt
    Domain-->>Researcher: 404 Not Found
    note over Domain: File only exists at repo root,<br/>not in any app public/ dir

    note over Researcher,App: After fixes applied
    App->>Domain: Serves file from public/.well-known/security.txt
    Researcher->>Domain: GET /.well-known/security.txt
    Domain-->>Researcher: 200 OK with correct Canonical URL
    Researcher->>Researcher: Validates Canonical matches request URL

Loading

_{Last reviewed commit: "Add .well-known/secu..."}

[greptile-apps]

Canonical URL points to GitHub, not the actual served location

RFC 9116 §2.5 requires the Canonical field to contain the HTTPS URI on the web host where the file is served — it is used by validators and security researchers to confirm they've reached the authoritative copy. Pointing it at github.com/…/blob/main/… (the GitHub file-browser view, which is neither the served domain nor a raw file) defeats this purpose entirely.

The value should be the URL at which your server will actually respond to requests, e.g.:

Suggested change

	Canonical: https://github.com/databuddy-analytics/Databuddy/blob/main/.well-known/security.txt
	Canonical: https://databuddy.cc/.well-known/security.txt

Replace databuddy.cc with the correct primary domain if it differs.

[greptile-apps]

File placed at repo root — not copied into any web app's public/ directory

For this file to actually be reachable at https://<domain>/.well-known/security.txt, it must be placed where the web server (or framework) will serve it as a static asset. All the apps in this monorepo that serve HTTP use their own public/ directory (e.g., apps/dashboard/public/, apps/docs/public/). Placing the file only at the repository root means it will never be picked up by any of those apps.

Wherever the main databuddy.cc domain resolves (likely apps/dashboard or apps/docs), the file should be placed at:

apps/<main-app>/public/.well-known/security.txt

Without this, the RFC 9116 endpoint simply won't exist on the live domain, even though the repository file looks correct.

[greptile-apps]

Policy URL resolves to the GitHub HTML viewer, not a raw/web page

The Policy field currently links to the GitHub blob viewer. While this is technically accessible to humans, security automation tools and some validators expect either a raw file URL or a proper web page. Consider pointing to the raw content URL or hosting the policy on your own domain:

Suggested change

	Policy: https://github.com/databuddy-analytics/Databuddy/blob/main/SECURITY.md
	Policy: https://raw.githubusercontent.com/databuddy-analytics/Databuddy/main/SECURITY.md

(Or better, a rendered page at https://databuddy.cc/security if one exists.)