{"id":28419964,"url":"https://github.com/h5bp/server-configs-test","last_synced_at":"2026-03-14T14:28:42.129Z","repository":{"id":34107349,"uuid":"168996784","full_name":"h5bp/server-configs-test","owner":"h5bp","description":"Tests for HTTP server boilerplate configs","archived":false,"fork":false,"pushed_at":"2026-02-02T23:47:50.000Z","size":6565,"stargazers_count":42,"open_issues_count":3,"forks_count":17,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-06T02:27:38.997Z","etag":null,"topics":["actions","ci","config","github-actions","h5bp","standard","test"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/h5bp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["LeoColomb"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"custom":null}},"created_at":"2019-02-03T21:42:10.000Z","updated_at":"2026-01-30T23:14:16.000Z","dependencies_parsed_at":"2026-01-07T17:06:40.808Z","dependency_job_id":null,"html_url":"https://github.com/h5bp/server-configs-test","commit_stats":{"total_commits":393,"total_committers":4,"mean_commits":98.25,"dds":0.5063613231552162,"last_synced_commit":"2233d410ee8572c8d17491abcd27295f561991c4"},"previous_names":[],"tags_count":57,"template":false,"template_full_name":null,"purl":"pkg:github/h5bp/server-configs-test","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h5bp%2Fserver-configs-test","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h5bp%2Fserver-configs-test/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h5bp%2Fserver-configs-test/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h5bp%2Fserver-configs-test/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/h5bp","download_url":"https://codeload.github.com/h5bp/server-configs-test/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h5bp%2Fserver-configs-test/sbom","scorecard":{"id":451773,"data":{"date":"2025-08-11","repo":{"name":"github.com/h5bp/server-configs-test","commit":"a11d8f9a596bdaef9a6cbaba242636aeea9163e8"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.1,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":0,"reason":"Found 0/2 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":7,"reason":"9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: MIT License: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 28 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-19T08:21:12.417Z","repository_id":34107349,"created_at":"2025-08-19T08:21:12.417Z","updated_at":"2025-08-19T08:21:12.417Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29451866,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-14T15:52:44.973Z","status":"ssl_error","status_checked_at":"2026-02-14T15:52:11.208Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","ci","config","github-actions","h5bp","standard","test"],"created_at":"2025-06-04T22:44:31.708Z","updated_at":"2026-02-14T18:00:32.906Z","avatar_url":"https://github.com/h5bp.png","language":"JavaScript","funding_links":["https://github.com/sponsors/LeoColomb"],"categories":[],"sub_categories":[],"readme":"# [Test Server Configs](https://github.com/h5bp/server-configs-test)\n\n[![CI](https://github.com/h5bp/server-configs-test/actions/workflows/ci.yml/badge.svg)](https://github.com/h5bp/server-configs-test/actions/workflows/ci.yml)\n\n**Test Server Configs** is a collection of test scripts for server validation.\n\n\n## Getting Started\n\nThis repository contains unit tests suites helping validate correctness of a server.\nSome steps are required to make them ready to run.\n\n\n## Usage\n\n### GitHub Actions\n\n#### Pre-requisites\n\nCreate a workflow `.yml` file in your repositories `.github/workflows` directory.\nAn [example workflow](#example-workflow) is available below.\nFor more information, reference the GitHub Help Documentation for\n[Creating a workflow file](https://help.github.com/en/articles/configuring-a-workflow#creating-a-workflow-file).\n\nMake sure to use the [`grafana/setup-k6-action`](https://github.com/grafana/setup-k6-action) action to install k6.\n\n#### Inputs\nSee [action.yml](action.yml).\nFor more information on these inputs, see the [API Documentation](https://developer.github.com/v3/repos/releases/#input-2).\n\n#### Example workflow\n\n```yaml\nsteps:\n  - uses: actions/checkout@v4\n  - uses: grafana/setup-k6-action@v1\n  - name: Test with server-configs-test\n    uses: h5bp/server-configs-test@main\n    with:\n      command: test\n      server: nginx\n      root-path: /var/www/server.localhost\n      certs-path: /etc/nginx/certs\n      configs-volumes: test/vhosts:/etc/nginx/conf.d;h5bp:/etc/nginx/h5bp;nginx.conf:/etc/nginx/nginx.conf;mime.types:/etc/nginx/mime.types\n      tests: basic-file-access;caching;cache-busting;custom-errors;forbidden-files;precompressed-files-gzip;rewrites;ssl\n```\n\n### Standalone\n\n* Get the files ready by either:\n  * Downloading [latest release](https://github.com/h5bp/server-configs-test/releases/latest) build\n  * Generating fixtures\n    ```\n    npm install\n    npm run build\n    ```\n* Install [k6](https://k6.io/)\n* Setup the server, local or Docker\n  * Add these hosts:\n    - `server.localhost`\n    - `www.server.localhost`\n    - `secure.server.localhost`\n    - `www.secure.server.localhost`\n  * Secure `secure.` hosts, possibly with certs within `certs/`\n  * Mount `fixtures/` to be the root of files served by the server\n* Run the units (see [Usage](#usage))\n\n\n### Tests\n\nTo run all tests, execute:\n\n```sh\n$ k6 run lib/index.js\n```\n\nTo run only specific tests, use the environment variable `TESTS` with all wanted\ntest names separated by `:` as value.\n\nThe environment variable can be passed as an argument:\n\n```sh\n$ k6 run lib/index.js -e TESTS=basic-file-access:rewrites\n```\n\n#### `basic-file-access`\n   \nCheck if all common files are served correctly.\n\nThe requested file should be served exactly as expected, all HTTP headers should be valid.\n\n\u003cdetails\u003e\n\u003csummary\u003eReferences\u003c/summary\u003e\n\n* https://www.iana.org/assignments/media-types/media-types.xhtml\n* https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS\n* https://enable-cors.org/\n* https://www.w3.org/TR/cors/\n* https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image\n* https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html\n* https://developers.google.com/fonts/docs/troubleshooting\n* https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode\n* https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/\n* https://msdn.microsoft.com/en-us/library/ff955275.aspx\n* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n* https://www.w3.org/TR/CSP3/\n* https://content-security-policy.com/\n* https://www.html5rocks.com/en/tutorials/security/content-security-policy/\n* https://scotthelme.co.uk/a-new-security-header-referrer-policy/\n* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy\n* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options\n* https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/\n* https://mimesniff.spec.whatwg.org/\n* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options\n* https://tools.ietf.org/html/rfc7034\n* https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/\n* https://www.owasp.org/index.php/Clickjacking\n* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection\n* https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/\n* https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/\n* https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29\n\u003c/details\u003e\n\n#### `cache-busting`\n\nCheck if cache-busting is working.\n\nThe requests that contain a hashed-key extension prefix (`[name].[hash].[ext]`)\nshould serve the target file correctly.\n\n#### `concatenation`\n\nCheck if concatenation is working.\n\nThe requests for `[name].combined.[ext]` should be served as a concatenation of \nhe `a.[ext]` and `b.[ext]` files.\n\n#### `custom-errors`\n\nCheck if errors are served as desired.\n\nThe erroneous requests should be served with the custom document provided.\n\n#### `enforce-gzip`\n\nCheck if gzip is enable even if mangled headers.\n\n#### `forbidden-files`\n\nCheck if forbidden files are well handled.\n\nThe requests should be answered with 403 errors when:\n* The requested directory does not contain a default document (no file listing);\n* The requested directory is hidden (the name start with a dot);\n* The requested file is hidden (the name start with a dot);\n* The above requests are made in the `.well-known` directory;\n* The requested file is known to contain sensitive data.\n\n\u003cdetails\u003e\n\u003csummary\u003eReferences\u003c/summary\u003e\n\n* https://www.mnot.net/blog/2010/04/07/well-known\n* https://tools.ietf.org/html/rfc5785\n* https://feross.org/cmsploit/\n\u003c/details\u003e\n\n\n#### `precompressed-files-(gzip|brotli)`\n\nCheck if server use gzip/brotli precompressed-files if available.\n\nThe requests should be served with a valid gzip/brotli file if a precompressed-files is available.\n\n#### `rewrites`\n\nCheck redirection behavior.\n\nThe redirection should follow the following paths:\n* Redirect to no-www when the host is prefixed with `www.` but require not to;\n* Redirect to www when the host is not prefixed with `www.` but require to;\n* Redirect to www/no-www whichever the connexion is secure or not.\n* Always redirect HTTP to HTTPS whatever is the host if secure alternatives exists;\n\n\u003cdetails\u003e\n\u003csummary\u003eReferences\u003c/summary\u003e\n\n* https://observatory.mozilla.org/faq/\n\u003c/details\u003e\n\n#### `ssl`\n\nCheck correctness for the TLS/SSL configuration.\n\nThe requests should be served with:\n* A technically valid certificate;\n* A secure TLS version;\n* A valid and secure cipher suite;\n* A secure protocol (HTTP/2);\n* With a well formatted HSTS header.\n\n\u003cdetails\u003e\n\u003csummary\u003eReferences\u003c/summary\u003e\n\n* https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security\n* https://tools.ietf.org/html/rfc6797#section-6.1\n* https://www.html5rocks.com/en/tutorials/security/transport-layer-security/\n* https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/\n* https://tools.ietf.org/html/rfc7540\n\u003c/details\u003e\n\n#### `benchmark`\n\nBonus test file to run a load benchmark.\nThis test is not included in the run-all script.\nA separate command is required to run it:\n\n```sh\n$ k6 run lib/benchmark.js\n```\n\n\n## Suite Structure\n\n```json\n[\n  {\n    \"name\": \"unit tests suite 1\",\n    \"domain\": \"http://server.localhost/ (optional)\",\n    \"default\": { // optional default values\n      \"requestHeaders\": {\n        \"Header-Name\": \"header to add to all the requests\"\n      },\n      \"responseHeaders\": {\n        \"Header-Name\": \"header and its value to test for all the requests\"\n      },\n      \"statusCode\": 311, // status to validate for all the requests\n    },\n    \"requests\": [\n      \"request1\", // use only default values\n      {\n        \"target\": \"request2\",\n        \"responseHeaders\": {\n          \"Header-Name\": \"custom header and its value to test for this request\"\n        }\n      }\n    ]\n  }\n]\n```\n\n\n## Contributing\n\nAnyone is welcome to [contribute](.github/CONTRIBUTING.md),\nhowever, if you decide to get involved, please take a moment to review\nthe [guidelines](.github/CONTRIBUTING.md):\n\n* [Bug reports](.github/CONTRIBUTING.md#bugs)\n* [Feature requests](.github/CONTRIBUTING.md#features)\n* [Pull requests](.github/CONTRIBUTING.md#pull-requests)\n\n\n## Acknowledgements\n\n[Test Server Configs](https://github.com/h5bp/server-configs-test) is\nonly possible thanks to all the awesome\n[contributors](https://github.com/h5bp/server-configs-test/graphs/contributors)!\n\n\n## License\n\nThe code is available under the [MIT license](LICENSE.txt).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh5bp%2Fserver-configs-test","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fh5bp%2Fserver-configs-test","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh5bp%2Fserver-configs-test/lists"}