Skip to content

docs: add Common Recipes section for well-known files#2527

Merged
Mzack9999 merged 8 commits into
projectdiscovery:devfrom
iacker:docs/well-known-recipes
Jul 16, 2026
Merged

docs: add Common Recipes section for well-known files#2527
Mzack9999 merged 8 commits into
projectdiscovery:devfrom
iacker:docs/well-known-recipes

Conversation

@iacker

@iacker iacker commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Per maintainer feedback on #2472, this PR adds a Common Recipes section to the README demonstrating how to detect , , , and other well-known URIs using httpx's composable primitives.

Changes

  • ✨ New "Common Recipes" section inserted before "# Notes"
  • 📖 Practical one-liners using -path, -mc, -mct, -mr flags
  • 🔗 Links to RFC 9116 (security.txt) and IANA well-known URIs registry

Context

@Mzack9999 suggested in this comment turning the closed PR #2472 into docs showing well-known file recipes as an alternative to adding per-file flags.

This aligns with httpx's philosophy of composability over specialized flags.

Testing

Verified all one-liners locally:

echo target.com | httpx -path '/.well-known/security.txt' -mc 200 -mct 'text/plain' -mr 'Contact:'

cc @Mzack9999 — happy to iterate on wording/format if needed.

Summary by CodeRabbit

  • New Features
    • Added ready-to-use “well-known” probing recipes for common discovery files and URIs (e.g., security.txt, robots.txt, sitemap.xml, OIDC discovery, Apple/Android app association assets, crossdomain.xml, plus a batch variant).
    • Recipes check expected status codes and response content.
  • Documentation
    • Expanded the README with “Common Recipes” one-liners and guidance on using -mdc for combined checks.
  • Tests
    • Added recipe validation tests, including negative cases to ensure misleading/soft-404 content and invalid bodies are rejected, plus an HTTP probe test.

dogancanbakir and others added 4 commits January 21, 2026 19:39
Per maintainer feedback on PR projectdiscovery#2472, add a 'Common Recipes' section
demonstrating how to detect security.txt, robots.txt, sitemap.xml, and
other well-known URIs using httpx's composable primitives.

Includes:
- security.txt detection with RFC 9116 compliance checks
- robots.txt and sitemap.xml probes
- IANA well-known URIs registry reference
- One-liner examples using -path, -mc, -mct, -mr flags

Reference: projectdiscovery#2468 (comment)
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Adds exported well-known probing recipes, fixture-backed validation for positive and negative matches, and README examples for common files and standardized URIs.

Changes

Well-known recipes

Layer / File(s) Summary
Recipe definitions and fixtures
runner/wellknown_recipes.go
Defines WellKnownRecipe, returns hardcoded file and URI recipes, and provides response fixtures including a soft 404.
End-to-end recipe validation
runner/wellknown_recipes_test.go
Evaluates recipes against fixtures, verifies rejection of invalid security.txt and ads.txt responses, and probes fixture paths through a local HTTP server.
Common Recipes documentation
README.md
Documents -mdc matching and command examples for well-known files and URIs.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related issues

Poem

A rabbit hops through paths unseen,
With recipes crisp and outputs clean.
security.txt guards its gate,
While ads.txt checks sellers’ fate.
Well-known URIs bloom in light—
Tested softly, day and night.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the new Common Recipes docs section and is related to the main change, even though it omits the URI recipes and test support.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@Mzack9999
Mzack9999 changed the base branch from main to dev July 16, 2026 07:45
@Mzack9999

Copy link
Copy Markdown
Member

@coderabbitai create a tracking issue for this PR, do not assign it to me

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="projectdiscovery/httpx"

gh issue create \
  --repo "$repo" \
  --title "Track: docs - Common Recipes section for well-known files (`#2527`)" \
  --body "$(cat <<'EOF'
## Summary

Tracking issue for PR `#2527`, which adds a **Common Recipes** section to the README demonstrating how to detect `security.txt`, and other well-known URIs using httpx's composable primitives (`-path`, `-mc`, `-mct`, `-mr`).

## Background

Per maintainer feedback in `#2472` and the follow-up discussion in `#2468` (comment: https://github.com/projectdiscovery/httpx/issues/2468#issuecomment-4298328468), this PR turns the previously closed PR `#2472` (which proposed adding per-file flags) into documentation showing recipes for well-known files, aligning with httpx's philosophy of composability over specialized flags.

## Scope / Affected areas

- `README.md`: new "Common Recipes" section inserted before the "# Notes" section, with one-liner examples and links to RFC 9116 (security.txt) and the IANA well-known URIs registry.

## Acceptance criteria

- [ ] Common Recipes section merged into README.md
- [ ] Wording/format reviewed and iterated on as needed
- [ ] Examples verified to work against `httpx`

## Links

- PR: https://github.com/projectdiscovery/httpx/pull/2527
- Requested by: `@Mzack9999`
EOF
)"

Length of output: 1515


@Mzack9999, I've created the tracking issue without assigning anyone: #2537

@Mzack9999 Mzack9999 linked an issue Jul 16, 2026 that may be closed by this pull request
3 tasks

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Line 288: Change the “Common Recipes” heading from h1 to h2 so the document’s
heading hierarchy does not skip levels and the markdownlint warning is resolved.
- Line 292: Update the README guidance for -mr/-ms to state that
OutputMatchRegex and OutputMatchString match the full raw response via resp.Raw,
rather than response headers only. Keep the -mdc description as the option for
structured field matching with DSL helpers such as contains.

In `@runner/wellknown_recipes_test.go`:
- Around line 18-41: Update TestMain to capture m.Run’s exit code, explicitly
call os.RemoveAll(tmp) and handle any cleanup error before invoking os.Exit, and
remove the ineffective deferred cleanup. Preserve the existing setup-error exits
while ensuring cleanup runs after the test suite completes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 519c1948-87c2-4f22-b9a2-b306c783940b

📥 Commits

Reviewing files that changed from the base of the PR and between e18c703 and 03a34ba.

📒 Files selected for processing (3)
  • README.md
  • runner/wellknown_recipes.go
  • runner/wellknown_recipes_test.go

Comment thread README.md Outdated
Comment thread README.md Outdated
Comment thread runner/wellknown_recipes_test.go Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
README.md (1)

296-300: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Avoid claiming this matcher proves RFC 9116 validity.

The command only checks content_type, the presence of Contact:, and mailto:/https:// anywhere in the body; it does not validate RFC 9116 field syntax or associate the URI with the Contact field. Describe this as a heuristic/security.txt-like match, or strengthen the matcher before calling it “valid.”

Proposed wording
- Probe for a valid [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116.html) security.txt file at the standard paths (`/.well-known/security.txt`, `/security.txt`):
+ Probe for a security.txt-like response at the standard paths (`/.well-known/security.txt`, `/security.txt`):
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 296 - 300, Update the security.txt section heading
and description to avoid claiming RFC 9116 validity; describe the httpx matcher
as a heuristic or security.txt-like detection. Keep the existing standard paths
and command unchanged unless needed to align the wording with that limitation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@README.md`:
- Around line 296-300: Update the security.txt section heading and description
to avoid claiming RFC 9116 validity; describe the httpx matcher as a heuristic
or security.txt-like detection. Keep the existing standard paths and command
unchanged unless needed to align the wording with that limitation.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bf6c165b-befb-4f36-ad31-0140fc89cd68

📥 Commits

Reviewing files that changed from the base of the PR and between 03a34ba and 3b3a457.

📒 Files selected for processing (2)
  • README.md
  • runner/wellknown_recipes_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • runner/wellknown_recipes_test.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
runner/wellknown_recipes_test.go (1)

34-34: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Avoid hardcoded array indices for recipe lookups.

Retrieving recipes by their hardcoded index makes the test suite brittle. If recipes are added, removed, or reordered in WellKnownRecipes(), these tests will either break or silently evaluate the wrong recipe. Consider extracting a test helper to find a recipe by its Name instead of relying on its position in the array.

  • runner/wellknown_recipes_test.go#L34-L34: replace WellKnownRecipes()[0] with findRecipe(t, "security.txt").
  • runner/wellknown_recipes_test.go#L40-L40: replace WellKnownRecipes()[0] with findRecipe(t, "security.txt").
  • runner/wellknown_recipes_test.go#L50-L50: replace WellKnownRecipes()[4] with findRecipe(t, "ads.txt").
  • runner/wellknown_recipes_test.go#L63-L63: replace WellKnownRecipes()[len(WellKnownRecipes())-1] with findRecipe(t, "well-known-uri-batch").
♻️ Example helper function
func findRecipe(t *testing.T, name string) WellKnownRecipe {
	t.Helper()
	for _, r := range WellKnownRecipes() {
		if r.Name == name {
			return r
		}
	}
	t.Fatalf("recipe %q not found", name)
	return WellKnownRecipe{}
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@runner/wellknown_recipes_test.go` at line 34, Replace positional recipe
lookups in runner/wellknown_recipes_test.go at lines 34, 40, 50, and 63 with
findRecipe calls using names "security.txt", "security.txt", "ads.txt", and
"well-known-uri-batch" respectively. Add the findRecipe testing helper to search
WellKnownRecipes() by Name, call t.Helper(), and fail the test if no matching
recipe is found.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@runner/wellknown_recipes_test.go`:
- Line 34: Replace positional recipe lookups in runner/wellknown_recipes_test.go
at lines 34, 40, 50, and 63 with findRecipe calls using names "security.txt",
"security.txt", "ads.txt", and "well-known-uri-batch" respectively. Add the
findRecipe testing helper to search WellKnownRecipes() by Name, call t.Helper(),
and fail the test if no matching recipe is found.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 88350c9e-b5e2-4327-9386-9700e68577ab

📥 Commits

Reviewing files that changed from the base of the PR and between 3b3a457 and cb1cc91.

📒 Files selected for processing (2)
  • runner/wellknown_recipes.go
  • runner/wellknown_recipes_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • runner/wellknown_recipes.go

@Mzack9999
Mzack9999 merged commit 997f3f5 into projectdiscovery:dev Jul 16, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Track: docs - Common Recipes section for well-known files (#2527)

3 participants