express-security-txt

Express middleware that implements a security.txt path and policy

Usage no npm install needed!

<script type="module">
  import expressSecurityTxt from 'https://cdn.skypack.dev/express-security-txt';
</script>

README

view on npm view on npm npm module downloads Build codecov Known Vulnerabilities Security Responsible Disclosure

semantic-release Greenkeeper badge Commitizen friendly

Express Security Txt

Express middleware that implements a security.txt path and policy. Allows the repeating of a directive, as well as the insertion of comments.

References:

Installation

yarn add express-security-txt

Usage

Define an options object with the keys that make up a valid security.txt file. All the keys are in camelCase.

const securityTxt = require('express-security-txt')

const options = {
  contact: 'https://example.com/security/',
  preferredLanguages: 'en'
}

app.use(securityTxt.setup(options))

Passing multiple values

Some directives allow you to specify multiple values. This package allows you to do this by passing an array:

const options = {
  contact: ['mailto:security@example.com', 'https://example.com/security/']
}

Adding comments

Comments can be included in the generated file. The # at the beggining of each line of a comment is automatically inserted by the package.

Comments at the start and end of a file can be added by using the _prefixComment and _postfixComment keys, like so:

const options = {
  _prefixComment: 'This comment will appear at the beggining of the security.txt file',
  contact: 'mailto:security@example.com',
  _postfixComment: 'This comment will appear at the end of the security.txt file'
}

NOTE: You may include the newline character (\n), and the package will automatically insert the # symbol at the beggining of each line.

Multiline comments can also be added by specifying an array, where each element is a line of the comment.

Comments just before a directive can be added by creating an object of the form { comment: '...', value: '...' }, where the value associated with the value key is the value of the field; and the comment is the comment to appear directly before the field.

For example,

const options = {
  contact: 'https://example.com/security/',
  acknowledgments: {
    comment: 'This comment will appear just above the Acknowledgments field',
    value: 'https://example.com/hall_of_fame'
  }
}

Would become

Contact: https://example.com/security/
# This comment will appear just above the Acknowledgments field
Acknowledgments: https://example.com/hall_of_fame

If a field allows multiple values, you can leave a comment on each one like so:

const options = {
  contact: [
    { comment: 'You can rarely reach me by email', value: 'mailto:security@example.com' },
    { comment: 'Try this online form instead?', value: 'https://example.com/security/' }
  ]
}

Tests

Project tests:

yarn run test

Project linting:

yarn run lint

Contributing

Commit Guidelines

The project uses the commitizen tool for standardizing changelog style commit messages so you should follow it as so:

git add .           # add files to staging
yarn run commit      # use the wizard for the commit message