spaze / security-txt
security.txt generator, parser, validator
Installs: 3 240
Dependents: 0
Suggesters: 0
Security: 0
Stars: 3
Watchers: 2
Forks: 0
Open Issues: 0
Requires (Dev)
- php: ^8.1
- nette/tester: ^2.5
- php-parallel-lint/php-console-highlighter: ^1.0
- php-parallel-lint/php-parallel-lint: ^1.3
- phpstan/phpstan: ^1.10
- spaze/coding-standard: ^1.6
- spaze/phpstan-disallowed-calls: ^3.1
Suggests
- ext-gnupg: Needed to verify and create signatures
This package is auto-updated.
Last update: 2024-10-26 01:00:03 UTC
README
How does it work
This package can validate security.txt
file either by providing
- the file contents as a string by calling
Spaze\SecurityTxt\Parser\SecurityTxtParser::parseString()
- a hostname like
example.com
toSpaze\SecurityTxt\Parser\SecurityTxtParser::parseHost()
- a URL like
https://example.com/
toSpaze\SecurityTxt\Check\SecurityTxtCheckHost::check()
Each of the options above will call preceding method and add more validations which are only possible in that particular case.
There's also a command line script in bin
which uses Spaze\SecurityTxt\Check\SecurityTxtCheckHostCli::check()
mostly just to add command line output to Spaze\SecurityTxt\Check\SecurityTxtCheckHost::check()
.
If you want to decouple fetching the security.txt
file and parsing it, there's also a possibility to pass a SecurityTxtFetchResult
object to Spaze\SecurityTxt\Parser\SecurityTxtParser::parseFetchResult()
.
How to use it
Spaze\SecurityTxt\Check\SecurityTxtCheckHost::check()
is probably what you'd want to use as it provides the mos comprehensive checks, can pass a URL, not just a hostname, and also supports callbacks. It accepts these parameters:
string $url
A URL where the file will be looked for, you can pass just for example https://example.com
, no need to use the full path to the security.txt
file, because only the hostname of the URL will be used for further checks
?int $expiresWarningThreshold = null
The validator will start throwing warnings if the file expires soon, and you can say what "soon" means by specifying the number of days here
bool $strictMode = false
If you enable strict mode, then the file will be considered invalid, meaning SecurityTxtCheckHostResult::isValid()
will return false
even when there are only warnings, with strict mode disabled, the file with only warnings would still be valid and SecurityTxtCheckHostResult::isValid()
would return true
bool $noIpv6 = false
Because some environments do not support IPv6, looking at you GitHub Actions
Spaze\SecurityTxt\Check\SecurityTxtCheckHost::check()
returns a Spaze\SecurityTxt\Check\SecurityTxtCheckHostResult
object with some obvious and less obvious properties.
The less obvious ones can be obtained with the following methods. All of them return an array of SecurityTxtSpecViolation
descendants.
getFetchErrors()
Returns list<SecurityTxtSpecViolation>
and contains errors encountered when fetching the file from a server. For example but not limited to:
- When the content type or charset is wrong
- When the URL scheme is not HTTPS
getFetchWarnings()
Also returns list<SecurityTxtSpecViolation>
and has warnings when fetching the file, like for example but not limited to:
- When the files at
/security.txt
and/.well-known/security.txt
differ - When
/security.txt
does not redirect to/.well-known/security.txt
getLineErrors()
Returns array<int, list<SecurityTxtSpecViolation>>
where the array int
key is the line number. Contains errors discovered when parsing and validating the contents of the security.txt
file. These errors are produced by any class that implements the FieldProcessor
interface. The errors include but are not limited to:
- When a field uses incorrect separators
- When a field value is not URL or the URL doesn't use
https://
scheme
getLineWarnings()
Also returns array<int, list<SecurityTxtSpecViolation>>
where the array int
key is the line number. Contains warnings generated by any class that implements the FieldProcessor
interface, when parsing and validating the contents of the security.txt
file. These warnings include but are not limited to:
- When the
Expires
field's value is too far into the future
getFileErrors()
Returns list<SecurityTxtSpecViolation>
, the list contains file-level errors which cannot be paired with any single line. These error are generated by FieldValidator
child classes, and include:
- When mandatory fields like
Contact
orExpires
are missing
getFileWarnings()
Returns list<SecurityTxtSpecViolation>
, the list contains file-level warnings that cannot be paired with any single line. These warnings are generated by FieldValidator
child classes, and include for example:
- When the file is signed, but there's no
Canonical
field
Callbacks
SecurityTxtCheckHost::check()
supports callbacks that can be set with SecurityTxtCheckHost::addOn*()
methods. You can use them to get the parsing information in "real time", and are used for example by the bin/checksecuritytxt.php
script via the \Spaze\SecurityTxt\Check\SecurityTxtCheckHostCli
class to print information as soon as it is available.
JSON
The Spaze\SecurityTxt\Check\SecurityTxtCheckHostResult
object can be encoded to JSON with json_encode()
,
and decoded back with Spaze\SecurityTxt\Check\SecurityTxtCheckHostResultFactory::createFromJson()
.
The other methods
Both Spaze\SecurityTxt\Parser\SecurityTxtParser::parseString()
and Spaze\SecurityTxt\Parser\SecurityTxtParser::parseHost()
return a Spaze\SecurityTxt\Parser\SecurityTxtParseResult
object with similar methods as what's described above for SecurityTxtCheckHostResult
.
The result returned from parseHost()
also contains Spaze\SecurityTxt\Fetcher\SecurityTxtFetchResult
object.