hcaptcha-rs

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.
If this is your project, please show your badge status on your project page! The badge status looks like this: Badge level for project 9974 is passing Here is how to embed it:
You can show your badge status by embedding this in your markdown file:
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9974/badge)](https://www.bestpractices.dev/projects/9974)
or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/9974"><img src="https://www.bestpractices.dev/projects/9974/badge"></a>


These are the Gold level criteria. You can also view the Passing or Silver level criteria.

Baseline Series: Baseline Level 1 Baseline Level 2 Baseline Level 3

        

 Basics 2/5

  • General

    Note that other projects may use the same name.

    hcaptcha-rs is a library to verify hcaptcha responses.

    Please use SPDX license expression format; examples include "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", and "(BSD-2-Clause OR Ruby)". Do not include single quotes or double quotes.
    If there is more than one language, list them as comma-separated values (spaces optional) and sort them from most to least used. If there is a long list, please list at least the first three most common ones. If there is no language (e.g., this is a documentation-only or test-only project), use the single character "-". Please use a conventional capitalization for each language, e.g., "JavaScript".
    The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. It is used in a number of systems and databases when reporting vulnerabilities.

  • Prerequisites


    Not enough for a badge.

    The project MUST achieve a silver level badge. [achieve_silver]

  • Project oversight


    Unknown required information, not enough for a badge.

    The project MUST have a "bus factor" of 2 or more. (URL required) [bus_factor]
    A "bus factor" (aka "truck factor") is the minimum number of project members that have to suddenly disappear from a project ("hit by a bus") before the project stalls due to lack of knowledgeable or competent personnel. The truck-factor tool can estimate this for projects on GitHub. For more information, see Assessing the Bus Factor of Git Repositories by Cosentino et al.

    Unknown required information, not enough for a badge.

    The project MUST have at least two unassociated significant contributors. (URL required) [contributors_unassociated]
    Contributors are associated if they are paid to work by the same organization (as an employee or contractor) and the organization stands to benefit from the project's results. Financial grants do not count as being from the same organization if they pass through other organizations (e.g., science grants paid to different organizations from a common government or NGO source do not cause contributors to be associated). Someone is a significant contributor if they have made non-trivial contributions to the project in the past year. Examples of good indicators of a significant contributor are: written at least 1,000 lines of code, contributed 50 commits, or contributed at least 20 pages of documentation.

  • Other


    Enough for a badge!

    The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project]. [license_per_file]
    This MAY also be done by including a statement in natural language identifying the license. The project MAY also include a stable URL pointing to the license text, or the full license text. Note that the criterion license_location requires the project license be in a standard location. See this SPDX tutorial for more information about SPDX license expressions. Note the relationship with copyright_per_file, whose content would typically precede the license information.

    https://github.com/jerus-org/hcaptcha-rs/blob/main/CONTRIBUTING.md
    https://github.com/jerus-org/hcaptcha-rs/blob/main/hcaptcha/src/lib.rs
    https://github.com/jerus-org/hcaptcha-rs/blob/main/.circleci/config.yml
    https://github.com/jerus-org/hcaptcha-rs/blob/main/renovate.json.license
    https://github.com/jerus-org/hcaptcha-rs/blob/main/.vscode/launch.json.license
    https://github.com/jerus-org/hcaptcha-rs/blob/main/.vscode/settings.json.license
    The project applies per‑file licensing via SPDX headers in source and config files (e.g., “SPDX-License-Identifier: MIT OR Apache-2.0”), and uses REUSE‑style sidecar “.license” files for non‑commentable assets. CONTRIBUTING.md documents the requirement and provides the exact header snippet; representative files across Rust and YAML show the headers, and sidecar files cover JSON/VS Code assets.


 Change Control 4/4

 Quality 5/7

  • Coding standards


    Enough for a badge!

    The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) [code_review_standards]
    See also two_person_review and contribution_requirements.

    https://github.com/jerus-org/hcaptcha-rs/blob/main/CONTRIBUTING.md#pull-request-guidelines
    https://github.com/jerus-org/hcaptcha-rs/blob/main/CONTRIBUTING.md#coding-standards
    https://github.com/jerus-org/hcaptcha-rs/blob/main/GOVERNANCE.md#process-requirements
    https://github.com/jerus-org/hcaptcha-rs/blob/main/.circleci/config.yml
    The project documents clear code‑review standards and enforces them in CI. All changes must land via pull request; direct commits to main are prohibited. PRs must be focused, have descriptive commits with DCO sign‑off, include tests, and pass formatting and clippy with zero warnings. Review is required by a maintainer, and merges occur only when CI is green (build, doctests, lints, multi‑suite tests). Governance further codifies the requirement that CI checks pass and that review is part of the standard process.


    Enough for a badge!

    The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion [two_person_review]

    • URL:
    https://github.com/jerus-org/hcaptcha-rs/blob/main/CONTRIBUTING.md#pull-request-guidelines
    https://github.com/jerus-org/hcaptcha-rs/blob/main/GOVERNANCE.md#process-requirements
    • Justification: The GitHub Ruleset “Protect the Main Branch” enforces PRs on main and requires at least one approval from someone other than the author (applies to admins), with CI checks required before merge. CONTRIBUTING and Governance documents also require review for every change, so two‑person review is both documented and technically enforced.


  • Working build system


    Enough for a badge!

    The project MUST have a reproducible build. If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). (URL required) [build_reproducible]
    A reproducible build means that multiple parties can independently redo the process of generating information from source files and get exactly the same bit-for-bit result. In some cases, this can be resolved by forcing some sort order. JavaScript developers may consider using npm shrinkwrap and webpack OccurrenceOrderPlugin. GCC and clang users may find the -frandom-seed option useful. The build environment (including the toolset) can often be defined for external parties by specifying the cryptographic hash of a specific container or virtual machine that they can use for rebuilding. The reproducible builds project has documentation on how to do this.

    The project has established reproducible builds. Multiple parties can independently rebuild crate packages and verify bit-for-bit identical results given the same inputs.

    Implementation:
    • Deterministic build process: CI uses SOURCE_DATE_EPOCH (fixed to last commit timestamp), RUSTFLAGS path remapping (--remap-path-prefix), and CFLAGS remapping for C dependencies to eliminate host-specific paths and timestamps.
    • Locked dependencies: Cargo.lock is committed, ensuring consistent dependency versions.
    • Specified build environment: Builds run in pinned Docker container images (jerusdp/ci-rust:1.88-wasi). The exact image, toolchain version, and environment variables are documented.
    • Verification support: SHA256 checksums of packaged crates are computed and attached to each GitHub release, allowing users to verify their local builds match official releases.

    Documentation:
    • Rebuild instructions with exact commands and environment variables: docs/REPRODUCIBLE_BUILDS.md
    • CI configuration: .circleci/config.yml (see set_repro_env command and compute_checksums_and_upload job)
    • Container pin file for future digest-based pinning: ci/container-pins.yaml

    URL: https://github.com/jerus-org/hcaptcha-rs/blob/main/docs/REPRODUCIBLE_BUILDS.md


  • Automated test suite


    Enough for a badge!

    A test suite MUST be invocable in a standard way for that language. (URL required) [test_invocation]
    For example, "make check", "mvn test", or "rake test" (Ruby).

    https://github.com/jerus-org/hcaptcha-rs/blob/main/CONTRIBUTING.md
    CONTRIBUTING.md line 85 documents test invocation: cargo test --all


    Enough for a badge!

    The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. (URL required) [test_continuous_integration]
    In most cases this means that each developer who works full-time on the project integrates at least daily.

    https://dl.circleci.com/status-badge/redirect/gh/jerus-org/hcaptcha-rs/tree/main
    CircleCI runs comprehensive CI pipeline including tests on every commit. CircleCI badge displayed in README.


    Unknown required information, not enough for a badge.

    The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. [test_statement_coverage90]

    Unknown required information, not enough for a badge.

    The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. [test_branch_coverage80]

 Security 4/5

  • Use basic good cryptographic practices

    Note that some software does not need to use cryptographic mechanisms. If your project produces software that (1) includes, activates, or enables encryption functionality, and (2) might be released from the United States (US) to outside the US or to a non-US-citizen, you may be legally required to take a few extra steps. Typically this just involves sending an email. For more information, see the encryption section of Understanding Open Source Technology & US Export Controls.

    Enough for a badge!

    The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A). [crypto_used_network]

    https://github.com/jerus-org/hcaptcha-rs/blob/main/SECURITY.md
    SECURITY.md section "Security expectations and scope" documents that "network calls target hCaptcha servers over HTTPS via reqwest" and section "Cryptography note" states "TLS and certificate validation are delegated to well-vetted dependencies (reqwest/rustls or native-tls)." All network communication to the hCaptcha API uses HTTPS with TLS provided by industry-standard libraries (rustls by default, or native-tls as an option), ensuring cryptographic protection of network traffic.


    Enough for a badge!

    The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). [crypto_tls12]

    https://github.com/jerus-org/hcaptcha-rs/blob/main/hcaptcha/Cargo.toml
    https://github.com/jerus-org/hcaptcha-rs/blob/main/Cargo.toml
    The project uses reqwest 0.12.24 with rustls-tls (default) or native-tls backends for HTTPS. Workspace Cargo.toml specifies reqwest with http2 feature enabled (line 48), ensuring HTTP/2 support. Both rustls (current versions support TLS 1.2 and 1.3) and native-tls delegate to platform TLS libraries that support TLS 1.2+. The library does not configure minimum TLS versions below 1.2, relying on secure defaults from reqwest and its TLS dependencies.


  • Secured delivery against man-in-the-middle (MITM) attacks


    Enough for a badge!

    The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) [hardened_site]
    Note that GitHub and GitLab are known to meet this. Sites such as https://securityheaders.com/ can quickly check this. The key hardening headers are: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Content-Type-Options (as "nosniff"), and X-Frame-Options. Fully static web sites with no ability to log in via the web pages could omit some hardening headers with less risk, but there's no reliable way to detect such sites, so we require these headers even if they are fully static sites.

    Found all required security hardening headers.
    https://github.com/jerus-org/hcaptcha-rs
    https://docs.rs/hcaptcha
    This project does not operate or control its own project website or web application; it uses GitHub for the repo and docs.rs for documentation. The “hardened_site” (gold) criterion applies to project‑run sites/apps where the project can configure headers and defenses (e.g., HSTS, CSP, SRI, secure cookies, no mixed content). Since no such site exists under project control, this is Not Applicable. If a site is added later (e.g., GitHub Pages with a custom domain or another host), we can implement and document HSTS (preload where possible), strict CSP (no inline script/styles), SRI on third‑party assets, secure cookies with SameSite, and CI checks for mixed content.


  • Other security issues


    Not enough for a badge.

    The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary. [security_review]
    This MAY be done by the project members and/or an independent evaluation. This evaluation MAY be supported by static and dynamic analysis tools, but there also must be human review to identify problems (particularly in design) that tools cannot detect.

    Status: Not yet (planned)
    https://github.com/jerus-org/hcaptcha-rs/blob/main/SECURITY.md
    https://github.com/jerus-org/hcaptcha-rs/blob/main/.circleci/audit.yml
    https://github.com/jerus-org/hcaptcha-rs/blob/main/ARCHITECTURE.md
    We have not yet completed an independent/security‑specialist review. Dynamic analysis (Miri + libFuzzer) and documented security practices are in place, but a formal review with public results is pending. Plan: engage an external reviewer to assess the core crate, dependency risk, misuse‑resistance of APIs, CI/supply‑chain controls, and fuzzing coverage; fix findings; publish a summary report (SECURITY-REVIEW.md) and reference it from SECURITY.md. Target window: January–February 2026 (publish summary no later than March 15, 2026). After the report is published, we will mark this criterion Met.


    Enough for a badge!

    Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) [hardening]
    Hardening mechanisms may include HTTP headers like Content Security Policy (CSP), compiler flags to mitigate attacks (such as -fstack-protector), or compiler flags to eliminate undefined behavior. For our purposes least privilege is not considered a hardening mechanism (least privilege is important, but separate).

    https://github.com/jerus-org/hcaptcha-rs/blob/main/.circleci/audit.yml
    https://github.com/jerus-org/hcaptcha-rs/blob/main/SECURITY.md
    https://github.com/jerus-org/hcaptcha-rs/blob/main/CONTRIBUTING.md
    https://github.com/jerus-org/hcaptcha-rs/blob/main/hcaptcha/src/request.rs
    The project applies multiple hardening measures: memory‑safe Rust with no unsafe blocks in the core crate; strict input validation for all externally supplied values; secrets are excluded from logs/tracing (e.g., request.rs instruments spans with skip(secret)); HTTPS/TLS via reqwest with verified certificates; CI runs clippy with zero‑warning policy and doctests; weekly dynamic analysis includes Miri (UB/memory safety) and a libFuzzer target for response parsing (see .circleci/audit.yml). SECURITY.md documents trust boundaries and non‑logging of secrets; CONTRIBUTING.md codifies the “no unsafe unless strictly justified” rule and CI gates.


 Analysis 2/2

  • Dynamic code analysis


    Enough for a badge!

    The project MUST apply at least one dynamic analysis tool to any proposed major production release of the software produced by the project before its release. [dynamic_analysis]
    A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.

    https://github.com/jerus-org/hcaptcha-rs/blob/main/.circleci/audit.yml
    Weekly dynamic analysis via Miri (Rust interpreter detecting undefined behavior and memory errors) and libFuzzer (fuzz testing response parser). Configured in CircleCI audit workflow.


    Enough for a badge!

    The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. [dynamic_analysis_enable_assertions]
    This criterion does not suggest enabling assertions during production; that is entirely up to the project and its users to decide. This criterion's focus is instead to improve fault detection during dynamic analysis before deployment. Enabling assertions in production use is completely different from enabling assertions during dynamic analysis (such as testing). In some cases enabling assertions in production use is extremely unwise (especially in high-integrity components). There are many arguments against enabling assertions in production, e.g., libraries should not crash callers, their presence may cause rejection by app stores, and/or activating an assertion in production may expose private data such as private keys. Beware that in many Linux distributions NDEBUG is not defined, so C/C++ assert() will by default be enabled for production in those environments. It may be important to use a different assertion mechanism or defining NDEBUG for production in those environments.

    Miri and fuzz tests run with debug assertions enabled (Rust default for test/dev builds)



This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit Jeremiah Russell and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: Jeremiah Russell.
Entry created on 2025-01-31 12:51:53 UTC, last updated on 2025-12-16 08:03:23 UTC. Last lost passing badge on 2025-12-12 12:44:22 UTC. Last achieved passing badge on 2025-12-12 12:45:03 UTC.