Identify and Parse Web Security Policies Files

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. The 'security.txt' 'Web Security Policies' specification defines an 'IETF' draft standard < https://tools.ietf.org/html/draft-foudil-securitytxt-00> to help organizations define the process for security researchers to securely disclose security vulnerabilities. Tools are provided to help identify and parse 'security.txt' files to enable analysis of the usage and adoption of these policies.


Build Status Build status Coverage Status

Identify and Parse Web Security Policies Files

Description

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. The 'security.txt' 'Web Security Policies' specification defines a 'IETF' standard to help organizations define the process for security researchers to securely disclose security vulnerabilities.

Tools are provided to identify and parse 'security.txt' files, enabling analysis of the usage of these policies.

What's Inside The Tin

The following functions are implemented:

  • sectxt: Parse a 'security.txt' Web Security Policies file & create a 'sectxt' object
  • sectxt_info: Retrieve a data frame of security.txt keys/values
  • sectxt_validate: Validate a 'security.txt' Web Security Policies file
  • sectxt_url: Determine security.txt URL for a given site/URL

Installation

devtools::install_github("hrbrmstr/securitytxt")

Usage

library(securitytxt)
packageVersion("securitytxt")
## [1] '0.1.0'
# built-in example
x <- sectxt(readLines(system.file("extdata", "security.txt", package="securitytxt")))
sectxt_info(x)
##          key                           value
## 1    contact            [email protected]
## 2 encryption https://example.com/pgp-key.txt
# "live" example
(xurl <- sectxt_url("https://securitytxt.org"))
## [1] "https://securitytxt.org/.well-known/security.txt"
x <- sectxt(url(xurl))
sectxt_info(x)
##       key                          value
## 1 contact https://twitter.com/EdOverflow
sectxt_validate(x)
## [1] TRUE
x
## <Web Security Policies Object>
## # Our security address
## Contact: https://twitter.com/EdOverflow
# another "live" example
(xurl <- sectxt_url("https://rud.is/b"))
## [1] "https://rud.is/.well-known/security.txt"
x <- sectxt(url(xurl))
sectxt_info(x)
##          key                                                                                         value
## 1    contact                                                                                    [email protected]
## 2 encryption https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399
## 3 disclosure                                                                                          Full
sectxt_validate(x)
## [1] TRUE
x
## <Web Security Policies Object>
## Contact: [email protected]
## Encryption: https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399
## Disclosure: Full

Code of Conduct

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

News

0.1.0

  • Initial release

Reference manual

It appears you don't have a PDF plugin for this browser. You can click here to download the reference manual.

install.packages("securitytxt")

0.1.0 by Bob Rudis, 2 years ago


https://github.com/hrbrmstr/securitytxt


Report a bug at https://github.com/hrbrmstr/securitytxt/issues


Browse source code at https://github.com/cran/securitytxt


Authors: Bob Rudis [aut, cre] , SEOmoz Inc [aut, cph] (url-cpp library , <https://github.com/seomoz/url-cpp>)


Documentation:   PDF Manual  


Task views: Web Technologies and Services


MIT + file LICENSE license


Imports Rcpp

Suggests testthat, covr

Linking to Rcpp


See at CRAN