This is the code that powers https://webbkoll.dataskydd.net/en - an online tool that checks how a webpage is doing with regards to privacy.
It attempts to simulate what happens when a user visits a specified page with a typical browser, without clicking on anything, and with the browser having no particular extensions installed, and with Do Not Track (DNT) disabled - as this is the default in most browsers.
In short: frontend (Phoenix) asks backend (PhearJS) to visit a page with PhantomJS. Backend visits and renders page, collects various data (requests made, cookies, response headers, etc.), and sends it back as JSON to the frontend which analyzes the data and presents the results on a webpage along with explanations and advice.
The frontend is multilingual and currently supports English and Swedish.
Please note that this is still a work in progress. Expect bugs and messy code in places. Only a few basic tests are in place. Cleanup is underway!
Also note that this tool is mainly meant to be used as a starting point for web developers. For more rigorous and systematic testing we recommend that you check out OpenWPM, which we used to analyze the websites of Sweden's municipalities (site, code).
- Get PhearJS running - see https://github.com/Tomtomgo/phearjs/blob/master/README.md. (Clone https://github.com/andersju/phearjs/ to get the one that Dataskydd.net is running.)
Frontend (this app!)
- Install Erlang (18) and Elixir (>= 1.3) -- see http://elixir-lang.org/install.html
- Have redis running (needed for exq job handling)
- Make sure you have a working PostgreSQL installation
- Install dependencies with
- Create and migrate your database with
mix ecto.create && mix ecto.migrate
- Install Node.js dependencies with
- Make sure PhearJS and redis are running on the hosts/ports specified in
- Start Phoenix endpoint with
mix phoenix.server(or in an interactive shell:
iex -S mix phoenix.server)
Now you can visit
localhost:4000 from your browser.
To run in production, create
config/prod.secret.exs and enter something like the following (edit
secret_key_base and change database configuration as necessary):
use Mix.Config # In this file, we keep production configuration that # you likely want to automate and keep it away from # your version control system. config :webbkoll, Webbkoll.Endpoint, secret_key_base: "somelongrandomstring" # Configure your database config :webbkoll, Webbkoll.Repo, adapter: Ecto.Adapters.Postgres, username: "postgres", password: "postgres", database: "webbkoll_prod", pool_size: 20
Create and migrate database:
MIX_ENV=prod mix ecto.create
MIX_ENV=prod mix ecto.migrate
Compile static assets:
node_modules/brunch/bin/brunch build --production
MIX_ENV=prod mix phoenix.digest
MIX_ENV=prod mix compile
Finally, start the server (listens on port 4001 by default):
MIX_ENV=prod mix phoenix.server
Or start the server in an interactive shell:
MIX_ENV=prod iex -S mix phoenix.server
See also the official Phoenix deployment guides.
- Optionally visit a number of randomly selected internal pages and let the results be based on the collective data from all the pages
- Availability over Tor (e.g. does the visitor have to solve a Cloudflare captcha?)
- HTTPS Everywhere: check for requests that could have been secure
- Possibility to check sites that listen only on port 443
- Check localStorage (Web Storage)
- SSL Labs integration
- IPv6 support
- Check whether site is in HSTS preload list?
- More translations?
- More? Let me know!
Credits & things used
- Phoenix Framework (MIT license) by Chris McCord
- Bourbon, Neat, Bitters, Refills (MIT license) by thoughtbot
- Sortable (MIT license) by Adam Schwartz
- Font Awesome (SIL OFL 1.1) by Dave Gandy
- Source Sans Pro (SIL OFL 1.1) by Adobe Systems
Disconnect's open source list of trackers (GPLv3) by Disconnect, Inc.
- PhearJS (MIT license) by Tom Aizenberg and Marcel Gonzalez Corso
- PhantomJS (BSD license)
The MIT License (MIT) Copyright (c) 2016 Anders Jensen-Urstad Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.