REDbot is lint for HTTP.
Project description
REDbot
REDbot is lint for HTTP resources.
It checks HTTP resources for feature support and common protocol problems at the HTTP semantic and caching layers. You can use the public instance on https://redbot.org/, or you can install it locally.
Contributing to REDbot
Your ideas, questions and other contributions are most welcome. See CONTRIBUTING.md for details.
Setting Up Your Own REDbot
Installation
REDbot requires a current version of Python.
The recommended method for installing REDbot is using pipx. To install the latest release, do:
pipx install redbot
Or, to use the most development version of REDbot, run:
pipx install git+https://github.com/mnot/redbot.git
Both of these methods will install the following programs into your pipx binary folder:
redbot- the command-line interfaceredbot_daemon- Web interface as a standalone daemon
Running REDbot as a systemd Service
REDbot can run as a standalone service, managed by systemd. This offers a degree of sandboxing and resource management, as well as process monitoring (including a watchdog function).
To do this, install REDbot on your system with the systemd option. For example:
pipx install redbot[systemd]
The copy extra/redbot.service into the appropriate directory (on most systems, /etc/systemd/system/.)
Modify the file appropriately; this is only a sample. Then, as root:
> systemctl reload-daemon
> systemctl enable redbot
> systemctl start redbot
By default, REDbot will listen on localhost port 8000. This can be adjusted in config.txt. Running REDbot behind a reverse proxy is recommended, if it is to be exposed to the Internet.
If you want to allow people to save test results, create the directory referenced by the 'save_dir' configuration variable, and make sure that it's writable to the REDbot process.
Running REDbot in a Container
OCI-compliant containers are available on Github, and it's easy to run REDbot one using a tool like Docker or Podman. For example:
docker run --rm -p 8000:8000 ghcr.io/mnot/redbot
or
podman run --rm -p 8000:8000 ghcr.io/mnot/redbot
Web Bot Auth
REDbot can authenticate its outgoing requests using Web Bot Auth, which signs requests with an Ed25519 key using HTTP Message Signatures (RFC 9421). This lets origins verify that requests genuinely come from your REDbot instance. The implementation follows the IETF drafts and is not specific to any one verifier.
Requests are sent unsigned by default. REDbot only attaches a signature when the origin challenges for one -- that is, when it returns a 401, 403, or 429 response carrying an Accept-Signature header -- and then transparently retries the request signed. This avoids advertising the bot's identity to servers that don't ask for it.
Generating a key
Create an Ed25519 private key in PEM form:
> openssl genpkey -algorithm ed25519 -out web-bot-auth-key.pem
Keep this file private and readable by the REDbot process. The matching public key is published automatically (see below); you do not need to extract it yourself.
Configuring
Set these in config.txt (for redbot_daemon):
web_bot_auth_key = /path/to/web-bot-auth-key.pem
web_bot_auth_directory = https://your-redbot.example
web_bot_auth_directory is the HTTPS origin where your public key directory is hosted. When you run redbot_daemon, it serves that directory at /.well-known/http-message-signatures-directory (a JWKS, self-signed per the spec), so a verifier can fetch your public key. Make sure that path is reachable at the origin you configured.
web_bot_auth_directory is optional: if you omit it, REDbot uses the origin of ui_uri. Because ui_uri defaults to https://redbot.org/, enabling signing requires ui_uri to be set to your instance's real public origin — otherwise you would publish the wrong bot identity. Set web_bot_auth_directory explicitly if your key directory lives on a different origin than the UI.
For the command-line tool, pass the equivalent flags (there is no ui_uri, so the directory is required):
> redbot --web-bot-auth-key web-bot-auth-key.pem --web-bot-auth-directory https://your-redbot.example https://example.com/
Registering with a verifier
To be recognised by a specific verifier, register your directory URL with them according to their process.
Credits
Icons by Font Awesome. REDbot includes code from tippy.js and prettify.js.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file redbot-2.5.1.tar.gz.
File metadata
- Download URL: redbot-2.5.1.tar.gz
- Upload date:
- Size: 339.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
70eb744da1f3393d8ea51de4c67aa416b8b9c0af92202bd01689b56beff8cfd6
|
|
| MD5 |
e5a4c26aa5f3ba1c2f5d55d73400ef81
|
|
| BLAKE2b-256 |
55de53cd13a5877feea63b2f31b2a371846804183e7576725f38baa0be47d05e
|
Provenance
The following attestation bundles were made for redbot-2.5.1.tar.gz:
Publisher:
publish.yml on mnot/redbot
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
redbot-2.5.1.tar.gz -
Subject digest:
70eb744da1f3393d8ea51de4c67aa416b8b9c0af92202bd01689b56beff8cfd6 - Sigstore transparency entry: 2026841468
- Sigstore integration time:
-
Permalink:
mnot/redbot@b322e490c530da16c2a20cc75f1b4af3b1ba8fd7 -
Branch / Tag:
refs/tags/v2.5.1 - Owner: https://github.com/mnot
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@b322e490c530da16c2a20cc75f1b4af3b1ba8fd7 -
Trigger Event:
push
-
Statement type:
File details
Details for the file redbot-2.5.1-py3-none-any.whl.
File metadata
- Download URL: redbot-2.5.1-py3-none-any.whl
- Upload date:
- Size: 374.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6849904cd18a3fb11e31b1f537a11b2e470768364f05ff89a22213a638d5894c
|
|
| MD5 |
7b59f644fa1068ce0250268f1b0ce4ab
|
|
| BLAKE2b-256 |
30600a372dc755dc0be724272fff58870080f7ff4dc2c19f40dd05ac3e405258
|
Provenance
The following attestation bundles were made for redbot-2.5.1-py3-none-any.whl:
Publisher:
publish.yml on mnot/redbot
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
redbot-2.5.1-py3-none-any.whl -
Subject digest:
6849904cd18a3fb11e31b1f537a11b2e470768364f05ff89a22213a638d5894c - Sigstore transparency entry: 2026841559
- Sigstore integration time:
-
Permalink:
mnot/redbot@b322e490c530da16c2a20cc75f1b4af3b1ba8fd7 -
Branch / Tag:
refs/tags/v2.5.1 - Owner: https://github.com/mnot
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@b322e490c530da16c2a20cc75f1b4af3b1ba8fd7 -
Trigger Event:
push
-
Statement type: