- Getting Started
- Rules categories
- AMP HTML Validator
- Accessibility assessment with aXe
- Avoid HTTP redirects in requests
- Disallow certain HTTP headers
- Disallow non-standard file extension for the web app manifest file
- Disallow protocol-relative URLs
- Disallow small error pages
- Disallow unneeded HTTP headers for non-HTML resources
- HTTP Cache
- Image optimization with Cloudinary
- No vulnerable libraries
- Nu HTML Test
- Performance budget
- Require `Content-Type` HTTP response header with appropriate value
- Require `Strict-Transport-Security` response header
- Require `X-Content-Type-Options` HTTP response header
- Require a web app manifest file
- Require an apple touch icon
- Require charset meta tag with the value of `utf-8`
- Require external links to disown opener
- Require highest available document mode
- Require manifest to specify the web site/app name
- Require resources to be served compressed
- Require scripts and styles to use subresource integrity
- Require viewport meta tag with proper value
- SSL Server Test
- Validate `Set-Cookie` Header
- further configuration
connector is the interface between the
rules and the website
you are testing. It is responsible for loading the website and exposing
all the information to
sonarwhal such as resources, network data, etc.
To configure a connector you need to update your
.sonarwhalrc file to
make it look like the following:
connectorName is the name of the connector.
All the built-in
connectors run in any of the supported platforms:
Linux, macOS, and Windows. The only caveat is that, for the
that you specify in the
.sonarwhalrc file, you will need to have the
connector is for installed as
sonarwhal will not
install it for you.
The current supported connectors are:
jsdom: Your website will be loaded using
chrome: Your website will be loaded using Chrome and the Chrome Debugging Protocol. This is one of the
edge: Your website will be loaded using Edge via the
edge-diagnostics-adapter. You will need to run Windows 10 Creators Update or later to use it. This connector will only be installed if you are running on it. There are some known issues so please check the Edge issues section below.
Note: If you are running Windows 10 build 14951 (or
later) and Windows Subsystem for Linux (WSL),
sonarwhal will be capable
of running the browsers installed directly on Windows. If you are a
user of the stable release of Window, you will need to use at least the
Fall Creators Update.
connectors can be configured. Maybe you want to do a request with
userAgent, change some of the other defaults, etc. For that,
you just have to add the property
options to your
with the values you want to modify:
The following is the list of shared configurations for all
waitFortime in milliseconds the connector will wait after the site is ready before starting the DOM traversing. The default value is
The default value is
Depending on the
connector, other configurations may be available.
jsdom allows you to configure the following:
headers: the headers used to fetch the resources. By default they are:
There are some
connectors built on top of the Chrome DevTools
edge are some of these
The set of settings specific for them are:
defaultProfile (boolean): Indicates if the browser should use the default profile or create a new one. By default the value is
falseso a new one is created. You might want to set it to
trueif you want
sonarwhalto have access to pages where the default profile is already authenticated. This only applies for Google Chrome as Microsoft Edge doesn’t create a new profile.
useTabUrl (boolean): Indicates if the browser should navigate first to a given page before going to the final target.
tabUrl (string): The URL to visit before the final target in case
https://empty.sonarwhal.com/is the default value.
Connectors are expected to implement at least some basic functionality (see how to develop a connector) but expose more events or have some extra functionality. The following document details the known differences or issues among the official connectors.
- You need administrator privileges to run
sonarwhalon Edge. You should be automatically prompted when running it.
- It’s best to close all instances of Edge before to avoid any issues.
- The current implementation can have some problems when scanning multiple sites simultaneously. This should not be a common scenario.
- The connector will make use of the
tabUrlproperties. Removing those can cause unexpected results.
It will not send the events for: