@chain305/x-security 0.4.3 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,8 +1,8 @@
1
1
  # x-security CLI
2
2
 
3
3
  **Most teams run their API gateway and WAF on defaults.** The security is
4
- already in the box authentication, rate limits, request validation,
5
- ownership/BOLA checks but turning it on means learning each vendor's config
4
+ already in the box (authentication, rate limits, request validation,
5
+ ownership/BOLA checks), but turning it on means learning each vendor's config
6
6
  DSL, and the rules you write lock you into that vendor and drift out of sync
7
7
  with your code.
8
8
 
@@ -10,10 +10,10 @@ with your code.
10
10
  OpenAPI spec you already have.** It versions in git, diffs like code, and a
11
11
  deterministic CLI compiles it to whichever gateway you run.
12
12
 
13
- - **No new DSL** policy lives in your OpenAPI file, next to the route it protects.
14
- - **No vendor lock-in** one spec compiles to Kong, Coraza, BunkerWeb, OpenAppSec, Envoy, or a firewall bundle. Switch gateways without rewriting a line of policy.
15
- - **No config drift** the spec is the source of truth; `validate` fails CI when the running gateway drifts from it.
16
- - **Deterministic** no LLM calls, no API keys. It compiles exactly what your spec says, and nothing it can't verify.
13
+ - **No new DSL.** Policy lives in your OpenAPI file, next to the route it protects.
14
+ - **No vendor lock-in.** One spec compiles to Kong, Coraza, BunkerWeb, OpenAppSec, Envoy, or a firewall bundle. Switch gateways without rewriting a line of policy.
15
+ - **No config drift.** The spec is the source of truth; `validate` fails CI when the running gateway drifts from it.
16
+ - **Deterministic.** No LLM calls, no API keys. It compiles exactly what your spec says, and nothing it can't verify.
17
17
 
18
18
  ## Install
19
19
 
@@ -107,7 +107,7 @@ Run `xsecurity <command> --help` for full flags.
107
107
  | `envoy` | Envoy (ext_proc / Lua filter) | self-hosted bundle | alpha |
108
108
  | `firewall` | Host firewall (iptables) | self-hosted bundle | SSRF egress only¹ |
109
109
 
110
- ¹ `firewall` is L3/L4 it enforces only API7 SSRF egress via `domainAllowlist`; it can't introspect HTTP, so it's not on the coverage matrix below.
110
+ ¹ `firewall` is L3/L4: it enforces only API7 SSRF egress via `domainAllowlist`; it can't introspect HTTP, so it's not on the coverage matrix below.
111
111
 
112
112
  ### OWASP API Top 10 coverage per target
113
113
 
@@ -126,7 +126,7 @@ How much of each class a target can **enforce natively**. 🟢 full · 🟡 part
126
126
  | API9 · Improper Inventory Management | 🔴 | 🔴 | 🟡 |
127
127
  | API10 · Unsafe Consumption of APIs | 🟡 | 🟡 | 🟡 |
128
128
 
129
- Only these three targets are independently **measured** today; Kong, Coraza, NGINX, Envoy and OpenAppSec compile the same policy but aren't yet published with a per-class measurement (⚪). Cells like **🔴→🟢** are the same control stateless vs. with a JWT identity wired ownership checks (BOLA/BFLA) need to know who the caller is, so a stateless WAF can't enforce them. A **🟡** means the target enforces most of the class natively, not all. Full per-field matrix (incl. the x-security-native injection / prompt-injection / audit classes): **[usewaf.com/coverage](https://usewaf.com/coverage)**.
129
+ Only these three targets are independently **measured** today; Kong, Coraza, NGINX, Envoy and OpenAppSec compile the same policy but aren't yet published with a per-class measurement (⚪). Cells like **🔴→🟢** are the same control stateless vs. with a JWT identity wired. Ownership checks (BOLA/BFLA) need to know who the caller is, so a stateless WAF can't enforce them. A **🟡** means the target enforces most of the class natively, though not all of it. Full per-field matrix (incl. the x-security-native injection / prompt-injection / audit classes): **[usewaf.com/coverage](https://usewaf.com/coverage)**.
130
130
 
131
131
  ## License
132
132