@chain305/x-security 0.2.4 → 0.2.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +39 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -89,6 +89,45 @@ xsecurity validate api.yaml --target kong --gateway http://localhost:8001
|
|
|
89
89
|
|
|
90
90
|
Run `xsecurity <command> --help` for full flags.
|
|
91
91
|
|
|
92
|
+
## Support matrix
|
|
93
|
+
|
|
94
|
+
### Compile & deploy targets
|
|
95
|
+
|
|
96
|
+
`xsecurity generate --target <name>` compiles one annotated spec to any of these. Two are hosted deploys; the rest are self-hosted bundles you drop into your gateway.
|
|
97
|
+
|
|
98
|
+
| Target (`--target`) | What it is | Delivery | Status |
|
|
99
|
+
| --- | --- | --- | --- |
|
|
100
|
+
| `cloudflare` | Cloudflare Ruleset Engine + WAF | hosted deploy | GA |
|
|
101
|
+
| `aws-apigw` | AWS API Gateway + WAFv2 | hosted deploy | beta |
|
|
102
|
+
| `kong` | Kong Gateway (decK plugin config) | self-hosted bundle | beta |
|
|
103
|
+
| `coraza` | Coraza / ModSecurity WAF (SecLang) | self-hosted bundle | beta |
|
|
104
|
+
| `coraza` *(nginx preset)* | NGINX + libcoraza | self-hosted bundle | beta |
|
|
105
|
+
| `bunkerweb` | BunkerWeb (OpenResty WAF) | self-hosted bundle | beta |
|
|
106
|
+
| `openappsec` | Check Point Open AppSec WAF | self-hosted bundle | beta |
|
|
107
|
+
| `envoy` | Envoy (ext_proc / Lua filter) | self-hosted bundle | alpha |
|
|
108
|
+
| `firewall` | Host firewall (iptables) | self-hosted bundle | SSRF egress only¹ |
|
|
109
|
+
|
|
110
|
+
¹ `firewall` is L3/L4 — it enforces only API7 SSRF egress via `domainAllowlist`; it can't introspect HTTP, so it's not on the coverage matrix below.
|
|
111
|
+
|
|
112
|
+
### OWASP API Top 10 coverage per target
|
|
113
|
+
|
|
114
|
+
How much of each class a target can **enforce natively**. 🟢 full · 🟡 partial · 🔴 gap · ⚪ not yet measured.
|
|
115
|
+
|
|
116
|
+
| OWASP API class | Cloudflare | AWS API GW | BunkerWeb |
|
|
117
|
+
| --- | :--: | :--: | :--: |
|
|
118
|
+
| API1 · Broken Object Level Auth (BOLA) | 🔴 | 🔴 | 🔴 |
|
|
119
|
+
| API2 · Broken Authentication | 🟡 | 🟡 | 🟡 |
|
|
120
|
+
| API3 · Broken Object Property Auth (BOPLA) | 🟡 | 🟡 | 🟡 |
|
|
121
|
+
| API4 · Unrestricted Resource Consumption | 🟢 | 🟡 | 🟡 |
|
|
122
|
+
| API5 · Broken Function Level Auth (BFLA) | 🟡 | 🟡 | 🟡 |
|
|
123
|
+
| API6 · Unrestricted Access to Business Flows | 🟡 | 🟡 | 🟡 |
|
|
124
|
+
| API7 · Server-Side Request Forgery (SSRF) | 🔴 | 🔴 | 🟢 |
|
|
125
|
+
| API8 · Security Misconfiguration | 🟡 | 🟡 | 🟡 |
|
|
126
|
+
| API9 · Improper Inventory Management | 🔴 | 🔴 | 🟡 |
|
|
127
|
+
| API10 · Unsafe Consumption of APIs | 🟡 | 🟡 | 🟡 |
|
|
128
|
+
|
|
129
|
+
Only these three targets are independently **measured** today; Kong, Coraza, NGINX, Envoy and OpenAppSec compile the same policy but aren't yet published with a per-class measurement (⚪). Authorization classes (**API1**, **API5**) rise when JWT **identity** is wired — with identity context API1 reaches 🟡 on Cloudflare and 🟢 on AWS, and API5 reaches 🟢 on AWS. Full per-field matrix (incl. the Writ-native injection / prompt-injection / audit classes): **[usewaf.com/coverage](https://usewaf.com/coverage)**.
|
|
130
|
+
|
|
92
131
|
## License
|
|
93
132
|
|
|
94
133
|
Apache-2.0
|
package/package.json
CHANGED