Add directory HEADER in https://updates.jenkins.io/download/plugins/

[jtnord]

Service(s)

Archives

Summary

NB: sercice may be wrong - not sure what maps to updates.jenkins.io

The Jenkins security team is constantly getting reports from "security researchers" that downloads are offering insecure directory listings.

Even though we document this at https://www.jenkins.io/security/reporting/#infrastructure people are not RTFMing...

It may reduce the spam we get if we added either a file for either ReadmeName of HeaderName that gave a simple overview of what the site is and that the directory listings are expected.
https://cwiki.apache.org/confluence/display/httpd/DirectoryListings#DirectoryListings-HeadersandFooters

Reproduction steps

navigate to https://updates.jenkins.io/download/plugins/

notice you have a directory listing with no other information

expected behaviour -
you have a directory listing saying this is the public contents of all jenkins plugins and versions for download (and is expected to be public)

NOTES

same possibly applies to get.jenkins.io, and mirrors.jenkins.io in addition to updates.jenkins.io

[lemeurherve]

Related:

• Past Release sites are taking long time to load #3525 (comment)