spectreq 0.1.1

High-efficiency HTTP client with browser impersonation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Reporting a Vulnerability

If you discover a security vulnerability in Spectreq, please report it responsibly:

1. **Do NOT** open a public GitHub issue
2. Email security concerns to the maintainers privately
3. Include details about the vulnerability and steps to reproduce
4. Allow up to 90 days for a fix before public disclosure

## Security Practices

### Cryptography

- **TLS**: Uses rustls for memory-safe TLS implementation
- **Hashing**: MD5 only for RFC 2617 Digest auth (not for security)
- **Post-quantum**: Optional X25519Kyber768 hybrid key exchange

### Dependencies

- Regular dependency audits with `cargo-audit`
- Automated Dependabot updates
- License compatibility checked with `cargo-deny`

### Code Quality

- Memory-safe Rust implementation
- No `unsafe` code in core library
- Clippy linting with `-D warnings`
- Regular fuzzing of parsing code

## Authentication Security

### Supported Methods

| Method | Security Level | Notes |
|--------|---------------|-------|
| Bearer Token | High | Use with HTTPS only |
| Basic Auth | Medium | Base64 encoded, not encrypted |
| Digest Auth | Medium | MD5-based, legacy protocol |
| NTLM | Not Implemented | Deprecated, use Kerberos instead |

### Best Practices

1. **Always use HTTPS** when sending credentials
2. **Rotate tokens** regularly
3. **Use certificate pinning** for sensitive applications
4. **Enable ECH** when possible for privacy

## TLS Security

### Certificate Verification

By default, Spectreq:
- Verifies server certificates
- Uses platform certificate store
- Rejects expired/invalid certificates

### Certificate Pinning

For high-security applications, use SPKI pinning:

```rust
use spectreq::{Client, Profile, CertificatePin};

let client = Client::builder()
    .profile(Profile::chrome_143_windows())
    .pin_certificate(CertificatePin::spki_sha256(
        "example.com",
        "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
    ))
    .build()?;
```

## Proxy Security

### Recommendations

1. **SOCKS5**: Preferred for better security
2. **HTTP CONNECT**: Use over HTTPS when possible
3. **Authentication**: Store proxy credentials securely
4. **Rotation**: Use proxy rotation for high-volume requests

## Session Persistence

When saving sessions:
- Encrypt session files at rest
- Use appropriate file permissions
- Clear sessions after use
- Never commit session files to version control

## Anti-Bot Considerations

Spectreq is designed for legitimate use cases such as:
- Web scraping with proper authorization
- API testing and development
- Research and security analysis

**Do not use this library to:**
- Bypass security controls without authorization
- Conduct DDoS attacks
- Scrape data in violation of terms of service
- Engage in any illegal activity

## Changelog

Security-related changes are documented in [CHANGELOG.md](./CHANGELOG.md) under the "Security" heading.