security.txt parser and validator
Project description
SecTXT: Security.txt parser and validator
This package contains a security.txt (RFC 9116) parser and validator.
When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.
Installation
The package is available on pypi. It can be installed using pip:
> python -m pip install sectxt
Usage
>>> from sectxt import SecurityTXT
>>> s = SecurityTXT("www.example.com")
>>> s.is_valid()
True
Validation
>>> from sectxt import SecurityTXT
>>> s = SecurityTXT("www.example.com")
>>> s.errors
[{'code': 'no_uri', 'message': 'The field value must be an URI', 'line': 2}, {'code': 'no_expire', 'message': 'The Expires field is missing', 'line': None}]
>>> s.recommendations
[{'code': 'long_expiry', 'message': 'Expiry date is more than one year in the future', 'line': 3}]
The "errors", "recommendations" and "notifications" attribute return a list of entries. An entry is a dict with three keys:
| key | value |
|---|---|
| code | A fixed error code string |
| message | A human readable error message in English |
| line | The 1 based integer line number where the error occurred or None when the error applies to the entire file |
Possible errors
| code | message |
|---|---|
| "no_security_txt" | "security.txt could not be located." |
| "location" | "security.txt was located on the top-level path (legacy place), but must be placed under the '/.well-known/' path." |
| "invalid_uri_scheme" | "Insecure URI scheme HTTP is not allowed. The security.txt file access must use the HTTPS scheme" |
| "invalid_cert" | "security.txt must be served with a valid TLS certificate." |
| "no_content_type" | "HTTP Content-Type header must be sent." |
| "invalid_media" | "Media type in Content-Type header must be 'text/plain'." |
| "invalid_charset" | "Charset parameter in Content-Type header must be 'utf-8' if present." |
| "utf8" | "Content must be utf-8 encoded." |
| "no_expire" | "'Expires' field must be present." |
| "multi_expire" | "'Expires' field must not appear more than once." |
| "invalid_expiry" | "Date and time in 'Expires' field must be formatted according to ISO 8601." |
| "expired" | "Date and time in 'Expires' field must not be in the past." |
| "no_contact" | "'Contact' field must appear at least once." |
| "no_canonical_match" | "Web URI where security.txt is located must match with a 'Canonical' field. In case of redirecting either the first or last web URI of the redirect chain must match." |
| "multi_lang" | "'Preferred-Languages' field must not appear more than once." |
| "invalid_lang" | "Value in 'Preferred-Languages' field must match one or more language tags as defined in RFC5646, separated by commas." |
| "no_uri" | "Field value must be a URI (e.g. beginning with 'mailto:')." |
| "no_https" | "Web URI must begin with 'https://'." |
| "prec_ws" | "There must be no whitespace before the field separator (colon)." |
| "no_space" | "Field separator (colon) must be followed by a space." |
| "empty_key" | "Field name must not be empty." |
| "empty_value" | "Field value must not be empty." |
| "invalid_line" | "Line must contain a field name and value, unless the line is blank or contains a comment." |
| "no_line_separators" | "Every line must end with either a carriage return and line feed characters or just a line feed character" |
| "signed_format_issue" | "Signed security.txt must start with the header '-----BEGIN PGP SIGNED MESSAGE-----'. " |
| "data_after_sig" | "Signed security.txt must not contain data after the signature." |
| "no_csaf_file" | "All CSAF fields must point to a provider-metadata.json file." |
Possible recommendations
| code | message |
|---|---|
| "long_expiry" | "Date and time in 'Expires' field should be less than a year into the future." |
| "no_encryption" | "'Encryption' field should be present when 'Contact' field contains an email address." |
| "not_signed"[1] | "security.txt should be digitally signed." |
| "no_canonical" | "'Canonical' field should be present in a signed file." |
| "multiple_csaf_fields" | "It is allowed to have more than one CSAF field, however this should be removed if possible." |
Possible notifications
| code | message |
|---|---|
| "unknown_field"[2] | "Security.txt contains an unknown field. Field {unknown_field} is either a custom field which may not be widely supported, or there is a typo in a standardised field name. |
[1] The security.txt parser will check for the addition of the digital signature, but it will not verify the validity of the signature.
[2] Regarding code "unknown_field": According to RFC 9116 section 2.4, any fields that are not explicitly supported must be ignored. This parser does add a notification for unknown fields by default. This behaviour can be turned off using the parameter recommend_unknown_fields:
>>> from sectxt import SecurityTXT
>>> s = SecurityTXT("www.example.com", recommend_unknown_fields=False)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sectxt-0.8.3.tar.gz.
File metadata
- Download URL: sectxt-0.8.3.tar.gz
- Upload date:
- Size: 15.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4fb84dd13232c5a97e95cbf3b4d3935a139e1ecf62fd6cbe56f7c27a51bddb65
|
|
| MD5 |
fac69f1f548a4f3a5675db2a09ca2858
|
|
| BLAKE2b-256 |
7a1886bed006583c42198d3663539425bf816259d47fd1cf9ed072c13f6ee10b
|
File details
Details for the file sectxt-0.8.3-py3-none-any.whl.
File metadata
- Download URL: sectxt-0.8.3-py3-none-any.whl
- Upload date:
- Size: 13.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
599c7998b98fbc062299223e34c25552ee83e212164ea0585801ccf718a2f3c3
|
|
| MD5 |
e4840cd3fa27ddcfc604ff0e304b9a9e
|
|
| BLAKE2b-256 |
247bff2e80a31543dba5d7ae3e02c251b8b85718288c5229c188e392cef74edc
|
