What is security.json?

security.json is the core artifact from _spartan. After you answer a few questions about your app, _spartan will generate this JSON file reflecting the security policy of your application based upon your answers.

Each policy addresses security concerns in the following security domains:

  • api security
  • access controls
    • authentication
    • authorization
  • secure connections (ssl/tls => ciphers ++ certificate management)
  • cross origin resource sharing (CORS)
  • database interaction
  • dependency management (specifically vulnerabilities in dependencies)
  • forms
  • input validation
  • secrets management
  • security logging
  • session management
    • cookies (generation, and configuration)

policy metadata

_spartan generates and populates some additional metadata about the policy itself to allow for easier tracking, auditing and to pre-configure some fields:

  "policyId": "01801687b51f06a49f22cd0357711144",
  "applicationType": "Web",
  "internetFacing": true,
  "hostname": "localhost",
  "deployment": "locally hosted",
  "integrityService": [
  ... // the rest of the policy


Name Description Type Allowed Values Default
policyId 32-digit randomly generated value; new for each policy String 32-digit string value N/A
applicationType application type String “Web”, “Desktop”, “IoT”, “Mobile”, “API” “Web”
internetFacing describes if the application will be accessible over the Internet Boolean true, false true
hostname [Domain] name assigned for the system where the application resides String Any string value “localhost”
deployment How the application is accessed/deployment service (e.g. ‘Heroku’) String Any string value “locally hosted”
integrity service How SHA-384 sums are generated for _spartan artifacts String Array [“openssl”, “shasum”] “shasum”