More

How to protect the loaded json file name and location using html5 and javascript?

How to protect the loaded json file name and location using html5 and javascript?


The data of markers (not the map) is stored in a json/csv/js file. We want to show all data as markers on the map. But how to protect the raw data file from public access?

Following the example on leaflet website, the name and location of the data file is currently visible as plain text in the index.html. Any people can download them after viewing the source code of the html.

Is there any way to secure our raw data from public access?

for example, by encoding the file name and location and there is no way to decode it?

Or use some authorization method, tokenization, oAuth, RestFul API?

Or using PHP instead of html?

Any tips and suggestions are greatly welcome!


Remember that JavaScript runs on the client's machine, under their control. They are allowed to set breakpoints and inspect variables at run time on their own machine. You can minify and obfuscate JavaScript, but Chrome DevTools has a one-click pretty-format button to partially undo the minification enough to make breakpoints work effectively.

Long story short, if you give the raw data to the client machine, then you've given away the raw data, and you've done so using the client's own network infrastructure.

One alternative is you can "bake" the data into rasterized symbols embedded in the imagery on the server. For example I recently saw a CartoDB Cesium demo where the points of interest were burned into the imagery layers, so the client does not handle the raw lat/lon data directly. Getting back the raw points requires much more effort, sifting through high-res image tiles and some sort of image recognition, so this might be a way to keep the exact numeric values more confidential.


How to build a secure stateless authentication system for a client-side JavaScript application

i'm building a stateless authentication system for a Dart application (Dart gets compiled to JavaScript, so the whole application is an index.html file which loads JavaScript and runs in the browser) and have discovered that it's quite tricky to build a stateless authentication system that's actually secure.

The stack is as follow: Dart application that does JSON POSTs to a Spring MVC (Java) backend using Jackson to convert back and forth between JSON and Java objects. Everything will be behind SSL when it goes into production.

Scenario 1: User logs in, I keep a session on the Java side - this is not stateless and will cause problems when load balancing the backend.

Scenario 2: Upon hitting the login button, a POST is done by Dart to the Authentication controller which verifies the credentials and passes back a token (which could be a bunch of UUIDs concatenated together). The token comes back to the frontend - This token combined with the username will then have to be passed along with each request. The dart application now needs to store this token somewhere, since a Dart application compiles to JavaScript, cookies seems to be not an option (can JavaScript access cookies?). HTML5 localstorage comes to mind, but from what I've read, it's pretty easy to hijack that token if any form of XSS vulnerability is available (and I'm guessing browser plugins and toolbars that inject JavaScript into the page can also access this token?).

Scenario 3: Just like in scenario 2, I get passed back a token from the Spring MVC backend, but instead of storing it in HTML5 localstorage, I keep in a JavaScript variable and pass it on if a new window is opened. The same problem applies here, since it's inside a javascript variable, any kind of XSS vulnerability or browser plugin can nab that token and hijack the session.

To prevent against brute-force attacks, any request that is being sent, if the username-token combination is incorrect, the token for that username will be invalidated and the user will need to login again. Tokens also expire after 15 minutes.

Is this a secure way to maintain state? IF not, how would I either make this stateless-with-token implementation secure or what would be a better implementation?


4 Answers 4

Your approach is totally ok. You should change a couple of things to make it work:
For each list item create an object that has all the properties that need to be in json file, put it in the list and at the end convert that list to json string.
After that, save the json string to the file (or do anything else with it… maybe save it as a document in the document library?).
You can use the following code for creating the objects and the json string:

The other problem that you had with ConvertTo-Json is related to the fact that you called Write-Host on the result of ConvertTo-Json command. If you created a variable, assigned the value of ConvertTo-Json to it and then wrote it to host with Write-Host it would had worked fine (I’m not sure why this is the case - it works fine if you try it directly in console and it is totally different if you have it in script file).
The solution for this problem is shown in last two lines of my code above.

Now, if you want to create json from your $ListItems variable, it will throw an error, because the ConvertTo-Json command will try to serialize all of the properties of list items, and those properties are not initialized (you need to explicitly initialize the properties before accessing them). The error will be:

The solution is to create the custom objects, assign the values to its properties and convert them to json (the code that I’ve pasted above).


6 Answers 6

I think your question really boils down to: When should I use a NoSQL approach vs. RDBMS? You settled on JSON early (a NoSQL-ish decision), perhaps because you've got Ajax consumers.

The answer of course to when to use NoSQL approaches vs. RDBMS's is basically about what type of data you're working with and what consumers you anticipate having. If your data is essentially relational (fairly flat hierarchies, no weird data types like images or audio, predictable relationships between the schemas that can be easily described in keys), and your consumers are anticipated to eventually include people who want to do Business Intelligence queries (ad hoc querying), then an RDBMS is the way to go. It's fairly easy to turn a query into a JSON representation, so it doesn't significantly burden your Ajax consumers -- it just adds a little transformation coding into your endpoints (REST/SOAP/whatever). Conversely, if your data is very hierarchical (deep schemas), contains weird data types like images, audio, video, etc., there are few relationships between entities, and you know that your end users will not be doing BI, then NoSQL/storing JSON may be appropriate.

Of course, even these general guidelines aren't rock solid. The reason Google developed Google File System, MapReduce (work which was used by Doug Cutting to build Hadoop at Yahoo) and later BigQuery (a NoSQL oriented [schemaless] way of managing large scale data) was precisely because they had a lot of ad hoc BI requests, and they couldn't get relational approaches to scale up to the tera/peta/exa/zetta/yotta scales they were trying to manage. The only practical approach was to scale out, sacrificing some of ad-hoc-query user friendliness that an RDBMS provides, and substituting a simple algorithm (MapReduce) that could be coded fairly easily for any given query.

Given your schema above, my question would basically be: Why wouldn't you use an RDBMS? I don't see much of a reason not to. Our profession is supposed to be engineering oriented, not fashion oriented, so our instinct should be to pick the easiest solution that works, right? I mean, your endpoints may have to do a little translation if your consumers are Ajaxy, but your data looks very flat and it seems likely that business users are going to want to do all kinds of ad hoc querying on things like music events (Which event was most attended within 50 miles of our capital city last year?)

'Go not to the elves for counsel, for they will say both no and yes.' -- Frodo


How Cross-site Scripting Works

There are two stages to a typical XSS attack:

  1. To run malicious JavaScript code in a victim’s browser, an attacker must first find a way to inject malicious code (payload) into a web page that the victim visits.
  2. After that, the victim must visit the web page with the malicious code. If the attack is directed at particular victims, the attacker can use social engineering and/or phishing to send a malicious URL to the victim.

For step one to be possible, the vulnerable website needs to directly include user input in its pages. An attacker can then insert a malicious string that will be used within the web page and treated as source code by the victim’s browser. There are also variants of XSS attacks where the attacker lures the user to visit a URL using social engineering and the payload is part of the link that the user clicks.

The following is a snippet of server-side pseudocode that is used to display the most recent comment on a web page:

The above script simply takes the latest comment from a database and includes it in an HTML page. It assumes that the comment printed out consists of only text and contains no HTML tags or other code. It is vulnerable to XSS, because an attacker could submit a comment that contains a malicious payload, for example:

The web server provides the following HTML code to users that visit this web page:

When the page loads in the victim’s browser, the attacker’s malicious script executes. Most often, the victim does not realize it and is unable to prevent such an attack.


Шаг 5. Откройте Firebase в своем приложении

SDK Firebase JavaScript поддерживает следующие продукты Firebase. Каждый продукт не является обязательным и доступен, как показано.

Продукт Firebase Пространство имен (v8 и ниже) Интернет Node.js
Аналитика firebase.analytics()
Аутентификация firebase.auth()
Cloud Firestore firebase.firestore()
Облачные функции для клиентского SDK Firebase firebase.functions()
Обмен сообщениями в облаке firebase.messaging()
Облачное хранилище firebase.storage()
Мониторинг производительности ( бета- версия) firebase.performance()
База данных в реальном времени firebase.database()
Remote Config ( бета- версия) firebase.remoteConfig()


Local Storage And How To Use It On Websites

Storing information locally on a user&rsquos computer is a powerful strategy for a developer who is creating something for the Web. In this article, we&rsquoll look at how easy it is to store information on a computer to read later and explain what you can use that for.

Adding State To The Web: The “Why” Of Local Storage

The main problem with HTTP as the main transport layer of the Web is that it is stateless. This means that when you use an application and then close it, its state will be reset the next time you open it. If you close an application on your desktop and re-open it, its most recent state is restored.

Meet Image Optimization, Addy Osmani’s brand new practical guide to optimizing and delivering high-quality images on the web. From formats and compression to delivery and maintenance: everything in one single 528-pages book.

This is why, as a developer, you need to store the state of your interface somewhere. Normally, this is done server-side, and you would check the user name to know which state to revert to. But what if you don&rsquot want to force people to sign up?

This is where local storage comes in. You would keep a key on the user&rsquos computer and read it out when the user returns.

C Is For Cookie. Is That Good Enough For Me?

The classic way to do this is by using a cookie. A cookie is a text file hosted on the user&rsquos computer and connected to the domain that your website runs on. You can store information in them, read them out and delete them. Cookies have a few limitations though:

  • They add to the load of every document accessed on the domain.
  • They allow up to only 4 KB of data storage.
  • Because cookies have been used to spy on people&rsquos surfing behavior, security-conscious people and companies turn them off or request to be asked every time whether a cookie should be set.

To work around the issue of local storage — with cookies being a rather dated solution to the problem — the WHATWG and W3C came up with a few local storage specs, which were originally a part of HTML5 but then put aside because HTML5 was already big enough.

Using Local Storage In HTML5-Capable Browsers

Using local storage in modern browsers is ridiculously easy. All you have to do is modify the localStorage object in JavaScript. You can do that directly or (and this is probably cleaner) use the setItem() and getItem() method:

If you read out the favoriteflavor key, you will get back &ldquovanilla&rdquo:

To remove the item, you can use — can you guess? — the removeItem() method:

That&rsquos it! You can also use sessionStorage instead of localStorage if you want the data to be maintained only until the browser window closes.

Working Around The &ldquoStrings Only&rdquo Issue

One annoying shortcoming of local storage is that you can only store strings in the different keys. This means that when you have an object, it will not be stored the right way.

You can see this when you try the following code:

Trying this out in the console shows that the data is stored as [object Object] and not the real object information:

You can work around this by using the native JSON.stringify() and JSON.parse() methods:

Where To Find Local Storage Data And How To Remove It

During development, you might sometimes get stuck and wonder what is going on. Of course, you can always access the data using the right methods, but sometimes you just want to clear the plate. In Opera, you can do this by going to Preferences → Advanced → Storage, where you will see which domains have local data and how much:

Doing this in Chrome is a bit more problematic, which is why we made a screencast:

Mozilla has no menu access so far, but will in future. For now, you can go to the Firebug console and delete storage manually easily enough.

So, that&rsquos how you use local storage. But what can you use it for?

Use Case #1: Local Storage Of Web Service Data

One of the first uses for local storage that I discovered was caching data from the Web when it takes a long time to get it. My World Info entry for the Event Apart 10K challenge shows what I mean by that.

When you call the demo the first time, you have to wait up to 20 seconds to load the names and geographical locations of all the countries in the world from the Yahoo BOSS Premium Web service. If you call the demo a second time, there is no waiting whatsoever because — you guessed it — I&rsquove cached it on your computer using local storage.

The following code (which uses jQuery) provides the main functionality for this. If local storage is supported and there is a key called thewholefrigginworld , then call the render() method, which displays the information. Otherwise, show a loading message and make the call to the Geo API using getJSON() . Once the data has loaded, store it in thewholefrigginworld and call render() with the same data:

You can see the difference in loading times in the following screencast:

The code for the world info is available on GitHub.

This can be extremely powerful. If a Web service allows you only a certain number of calls per hour but the data doesn&rsquot change all that often, you could store the information in local storage and thus keep users from using up your quota. A photo badge, for example, could pull new images every six hours, rather than every minute.

This is very common when using Web services server-side. Local caching keeps you from being banned from services, and it also means that when a call to the API fails for some reason, you will still have information to display.

getJSON() in jQuery is especially egregious in accessing services and breaking their cache, as explained in this blog post from the YQL team. Because the request to the service using getJSON() creates a unique URL every time, the service does not deliver its cached version but rather fully accesses the system and databases every time you read data from it. This is not efficient, which is why you should cache locally and use ajax() instead.

Use Case #2: Maintaining The State Of An Interface The Simple Way

Another use case is to store the state of interfaces. This could be as crude as storing the entire HTML or as clever as maintaining an object with the state of all of your widgets. One instance where I am using local storage to cache the HTML of an interface is the Yahoo Firehose research interface (source on GitHub):

The code is very simple — using YUI3 and a test for local storage around the local storage call:

Notice: We restored your last search for you - not live data&rsquo) > > >)

You don&rsquot need YUI at all it only makes it easier. The logic to generically cache interfaces in local storage is always the same: check if a &ldquoSubmit&rdquo button has been activated (in PHP, Python, Ruby or whatever) and, if so, store the innerHTML of the entire form otherwise, just read from local storage and override the innerHTML of the form.

The Dark Side Of Local Storage

Of course, any powerful technology comes with the danger of people abusing it for darker purposes. Samy, the man behind the &ldquoSamy is my hero&rdquo MySpace worm, recently released a rather scary demo called Evercookie, which shows how to exploit all kind of techniques, including local storage, to store information of a user on their computer even when cookies are turned off. This code could be used in all kinds of ways, and to date there is no way around it.

Further Reading on SmashingMag:

Research like this shows that we need to look at HTML5&rsquos features and add-ons from a security perspective very soon to make sure that people can&rsquot record user actions and information without the user&rsquos knowledge. An opt-in for local storage, much like you have to opt in to share your geographic location, might be in order but from a UX perspective this is considered clunky and intrusive. Got any good ideas?


HTML5 and media extensions

Using HTML5 video alone has many limitations, however, the addition of the Media Source Extensions (MSE) and Encrypted Media Extensions (EME) specifications adds the benefits of adaptive bitrate streaming and playback of protected content, respectively.

MSE support allows JavaScript to generate streams for media playback using HTML media tags so you can play live or on-demand streams with HTML5. This means browser-independent player technology can be built without the use of plug-in technologies, enabling playback features such as adaptive bitrate streaming, time shifting, ad insertion, video editing, and multiple audio tracks. Videos are encoded once and then play consistently across modern browsers and most tablets and smartphones.


Additional logging

You can turn on the securityDebugLogRejections and securityDebugLogDetails application properties to log additional information, which can help to identify configuration problems. To add these properties in Wowza Streaming Engine Manager, you must set them as custom properties in the application. See Add a custom property for details.

The following are the values that must be used in the Add Custom Property dialog box for each custom logging property:


How to protect the loaded json file name and location using html5 and javascript? - Geographic Information Systems

General Bikeshare Feed Specification (GBFS)

This document explains the types of files and data that comprise the General Bikeshare Feed Specification (GBFS) and defines the fields used in all of those files.

This documentation refers to v3.0-RC (release candidate).
For the current version see version 2.2. For past and upcoming versions see the README.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119, BCP 14 and RFC8174 when, and only when, they appear in all capitals, as shown here.

This specification has been designed with the following concepts in mind:

  • Provide the status of the system at this moment
  • Do not provide information whose primary purpose is historical

The specification supports real-time travel advice in GBFS-consuming applications.

The version of the GBFS specification to which a feed conforms is declared in the version field in all files. See Output Format.

GBFS Best Practice defines that:

GBFS producers SHOULD provide endpoints that conform to both the current specification long term support (LTS) branch as well as the latest release branch within at least 3 months of a new spec MAJOR or MINOR version release. It is not necessary to support more than one MINOR release of the same MAJOR release group because MINOR releases are backwards-compatible. See specification versioning

GBFS consumers SHOULD, at a minimum, support the current LTS branch. It is highly RECOMMENDED that GBFS consumers support later releases.

Default GBFS feed URLs, e.g. https://www.example.com/data/gbfs.json or https://www.example.com/data/fr/system_information.json MUST direct consumers to the feed that conforms to the current LTS documentation branch.

This section defines terms that are used throughout this document.

  • JSON - (JavaScript Object Notation) is a lightweight format for storing and transporting data. This document uses many terms defined by the JSON standard, including field, array, and object. (https://www.w3schools.com/js/js_json_datatypes.asp)
  • Field - In JSON, a name/value pair consists of a field name (in double quotes), followed by a colon, followed by a value. (https://www.w3schools.com/js/js_json_syntax.asp)
  • GeoJSON - GeoJSON is a format for encoding a variety of geographic data structures. (https://geojson.org/)
  • REQUIRED - The field MUST be included in the dataset, and a value MUST be provided in that field for each record.
  • OPTIONAL - The field MAY be omitted from the dataset. If an OPTIONAL column is included, some of the entries in that field MAY be empty strings. An omitted field is equivalent to a field that is empty.
  • Conditionally REQUIRED - The field or file is REQUIRED under certain conditions, which are outlined in the field or file description. Outside of these conditions, this field or file is OPTIONAL.
File Name REQUIRED Defines
gbfs.json Yes
(as of v2.0)
Auto-discovery file that links to all of the other files published by the system.
gbfs_versions.json
(added in v1.1)
OPTIONAL Lists all feed endpoints published according to versions of the GBFS documentation.
system_information.json Yes Details including system operator, system location, year implemented, URL, contact info, time zone.
vehicle_types.json
(added in v2.1)
Conditionally REQUIRED Describes the types of vehicles that System operator has available for rent. REQUIRED of systems that include information about vehicle types in the free_bike_status file. If this file is not included, then all vehicles in the feed are assumed to be non-motorized bicycles.
station_information.json Conditionally REQUIRED List of all stations, their capacities and locations. REQUIRED of systems utilizing docks.
station_status.json Conditionally REQUIRED Number of available vehicles and docks at each station and station availability. REQUIRED of systems utilizing docks.
free_bike_status.json Conditionally REQUIRED (as of v2.1) Describes all vehicles that are not currently in active rental. REQUIRED for free floating (dockless) vehicles. OPTIONAL for station based (docked) vehicles. Vehicles that are part of an active rental MUST NOT appear in this feed.
system_hours.json OPTIONAL Hours of operation for the system.
system_calendar.json OPTIONAL Dates of operation for the system.
system_regions.json OPTIONAL Regions the system is broken up into.
system_pricing_plans.json OPTIONAL System pricing scheme.
system_alerts.json OPTIONAL Current system alerts.
geofencing_zones.json
(added in v2.1)
OPTIONAL Geofencing zones and their associated rules and attributes.

Datasets SHOULD be published at an easily accessible, public, permanent URL. (e.g., https://www.example.com/gbfs/v3/gbfs.json). The URL SHOULD be directly available without requiring login to access the file to facilitate download by consuming software applications.

To be compliant with GBFS, all systems MUST have an entry in the systems.csv file.

Automated tools for application performance monitoring SHOULD be used to ensure feed availability. Producers SHOULD provide a technical contact who can respond to feed outages in the feed_contact_email field in the system_information.json file.

Seasonal Shutdowns, Disruptions of Service

Feeds SHOULD continue to be published during seasonal or temporary shutdowns. Feed URLs SHOULD NOT return a 404. An empty bikes array SHOULD be returned by free_bike_status.json . Stations in station_status.json SHOULD be set to is_renting:false , is_returning:false and is_installed:false where applicable. Seasonal shutdown dates SHOULD be reflected in system_calendar.json .

Announcements for disruptions of service, including disabled stations or temporary closures of stations or systems SHOULD be made in system_alerts.json .

  • All files SHOULD be valid JSON
  • All files in the spec MAY be published at a URL path or with an alternate name (e.g., station_info instead of station_information.json ) (as of v2.0).
  • All data SHOULD be UTF-8 encoded
  • Line breaks SHOULD be represented by unix newline characters only ( )
  • Pagination is not supported.
  • Files are distributed as individual HTTP endpoints.
    • REQUIRED files MUST NOT 404. They MUST return a properly formatted JSON file as defined in Output Format.
    • OPTIONAL files MAY 404. A 404 of an OPTIONAL file SHOULD NOT be considered an error.

    Publishers SHOULD implement auto-discovery of GBFS feeds by linking to the location of the gbfs.json auto-discovery endpoint.

    • The location of the auto-discovery file SHOULD be provided in the HTML area of the shared mobility landing page hosted at the URL specified in the URL field of the system_infomation.json file.
    • This is referenced via a link tag with the following format:
      • <link rel="gbfs" type="application/json" href="https://www.example.com/data/gbfs.json" />
      • References:
      • Each set of data files SHOULD be distributed in a single language as defined in system_information.json.
      • A system that wants to publish feeds in multiple languages SHOULD do so by publishing multiple distributions, such as:
        • https://www.example.com/data/en/system_information.json
        • https://www.example.com/data/fr/system_information.json

        Rich text SHOULD NOT be stored in free form text fields. Fields SHOULD NOT contain HTML.

        All customer-facing text strings (including station names) SHOULD use Mixed Case (not ALL CAPS), following local conventions for capitalization of place names on displays capable of displaying lower case characters.

        Abbreviations SHOULD NOT be used for names and other text (e.g. St. for Street) unless a location is called by its abbreviated name (e.g. “JFK Airport”). Abbreviations may be problematic for accessibility by screen reader software and voice user interfaces. Consuming software can be engineered to reliably convert full words to abbreviations for display, but converting from abbreviations to full words is prone to more risk of error.

        Names used for stations, virtual stations and geofenced areas SHOULD be human readable. Naming conventions used for locations SHOULD consider a variety of use cases including both text and maps.

        Descriptions SHOULD NOT include information so specific that it could be used in tracking of vehicles or trips.

        Feeds SHOULD provide 6 digits (0.000001) of precision for decimal degrees lat/lon coordinates.

        Decimal places Degrees Distance at the Equator
        0 1.0 111 km
        1 0.1 11.1 km
        2 0.01 1.11 km
        3 0.001 111 m
        4 0.0001 11.1 m
        5 0.00001 1.11 m
        6 0.000001 0.11 m
        7 0.0000001 1.11 cm

        The data returned by the near-realtime endpoints station_status.json and free_bike_status.json SHOULD be as close to realtime as possible, but in no case should it be more than 5 minutes out-of-date. Appropriate values SHOULD be set using the ttl property for each endpoint based on how often the data in feeds are refreshed or updated. For near-realtime endpoints where the data should always be refreshed the ttl value SHOULD be 0 . The last_updated timestamp represents the publisher's knowledge of the current state of the system at this point in time. The last_reported timestamp represents the last time a station or vehicle reported its status to the operator's backend.

        It is RECOMMENDED that all GBFS data sets be offered under an open data license. Open data licenses allow consumers to freely use, modify and share GBFS data for any purpose in perpetuity. Licensing of GBFS data provides certainty to GBFS consumers, allowing them to integrate GBFS data into their work. All GBFS data sets SHOULD specify a license using the license_id field with an SPDX identifier or by using the license_url field with a URL pointing to a custom license in system_information.json . See the GBFS repo for a comparison of a subset of standard licenses.

        • Array - A JSON element consisting of an ordered sequence of zero or more values.
        • Boolean - One of two possible values, true or false . Boolean values MUST be JSON booleans, not strings (i.e. true or false , not "true" or "false" ). (as of v2.0)
        • Date - Service day in the YYYY-MM-DD format. Example: 2019-09-13 for September 13th, 2019.
        • Email - An email address. Example: [email protected]
        • Enum (Enumerable values) - An option from a set of predefined constants in the "Defines" column. Enum values SHOULD be lowercase. Example: The rental_methods field contains values creditcard , paypass , etc.
        • Float (added in v2.1) - A 32-bit floating point number.
        • GeoJSON FeatureCollection - A FeatureCollection as described by the IETF RFC 7946 https://tools.ietf.org/html/rfc7946#section-3.3.
        • GeoJSON Multipolygon - A Geometry Object as described by the IETF RFC https://tools.ietf.org/html/rfc7946#section-3.1.7.
        • ID - Should be represented as a string that identifies that particular entity. An ID:
          • MUST be unique within like fields (e.g. station_id MUST be unique among stations)
          • does not have to be globally unique, unless otherwise specified
          • MUST NOT contain spaces
          • MUST be persistent for a given entity (station, plan, etc). An exception is floating bike bike_id , which MUST NOT be persistent for privacy reasons (see free_bike_status.json ). (as of v2.0)

          Extensions Outside of the Specification

          To accommodate the needs of feed producers and consumers prior to the adoption of a change, additional fields can be added to feeds even if these fields are not part of the official specification. Custom extensions that may provide value to the GBFS community and align with the GBFS Guiding Principles SHOULD be proposed for inclusion in the specification through the change process.

          Field names of extensions SHOULD be prefixed with an underscore ( _) character. It is strongly RECOMMENDED that these additional fields be documented on the wiki page of the GBFS repository in this format:

          Submitted by Field Name File Name Defines
          Publisher's name _field_name Name of GBFS endpoint where field is used Description of purpose of use

          Every JSON file presented in this specification contains the same common header information at the top level of the JSON response object:

          Field Name REQUIRED Type Defines
          last_updated Yes Timestamp Indicates the last time data in the feed was updated. This timestamp represents the publisher's knowledge of the current state of the system at this point in time.
          ttl Yes Non-negative integer Number of seconds before the data in the feed will be updated again (0 if the data should always be refreshed).
          version
          (added in v1.1)
          Yes String GBFS version number to which the feed confirms, according to the versioning framework.
          data Yes Object Response data in the form of name:value pairs.

          The gbfs.json discovery file SHOULD represent a single system or geographic area in which vehicles are operated. The location (URL) of the gbfs.json file SHOULD be made available to the public using the specification’s auto-discovery function.

          Field Name REQUIRED Type Defines
          language Yes Language The language that will be used throughout the rest of the files. It MUST match the value in the system_information.json file.
          - feeds Yes Array An array of all of the feeds that are published by this auto-discovery file. Each element in the array is an object with the keys below.
          - name Yes String Key identifying the type of feed this is. The key MUST be the base file name defined in the spec for the corresponding feed type ( system_information for system_information.json file, station_information for station_information.json file).
          - url Yes URL URL for the feed. Note that the actual feed endpoints (urls) MAY NOT be defined in the file_name.json format. For example, a valid feed endpoint could end with station_info instead of station_information.json .

          gbfs_versions.json (added in v1.1)

          Each expression of a GBFS feed describes all of the versions that are available.

          The following fields are all attributes within the main "data" object for this feed.

          Field Name REQUIRED Type Defines
          versions Yes Array Contains one object, as defined below, for each of the available versions of a feed. The array MUST be sorted by increasing MAJOR and MINOR version number.
          - version Yes String The semantic version of the feed in the form X.Y .
          - url Yes URL URL of the corresponding gbfs.json endpoint.

          The following fields are all attributes within the main "data" object for this feed.

          If a rental_uris . android field is populated then this field is REQUIRED, otherwise it is OPTIONAL.

          See the Analytics section for how viewing apps can report the origin of the deep link to rental apps.

          This field is REQUIRED if a rental_uris . android field is populated, otherwise it is OPTIONAL.

          If a rental_uris . ios field is populated then this field is REQUIRED, otherwise it is OPTIONAL.

          See the Analytics section for how viewing apps can report the origin of the deep link to rental apps.

          This field is REQUIRED if a rental_uris . ios field is populated, otherwise it is OPTIONAL.

          vehicle_types.json (added in v2.1)

          REQUIRED of systems that include information about vehicle types in the free_bike_status file. If this file is not included, then all vehicles in the feed are assumed to be non-motorized bicycles. This file SHOULD be published by systems offering multiple vehicle types for rental, for example pedal bikes and ebikes.
          The following fields are all attributes within the main "data" object for this feed.

          • human (Pedal or foot propulsion)
          • electric_assist (Provides power only alongside human propulsion)
          • electric (Contains throttle mode with a battery-powered motor)
          • combustion (Contains throttle mode with a gas engine-powered motor)

          All stations included in station_information.json are considered public (e.g., can be shown on a map for public use). If there are private stations (such as Capital Bikeshare’s White House station), these SHOULD NOT be included here. Any station that is represented in station_information.json MUST have a corresponding entry in station_status.json .

          • Broadway and East 22nd Street
          • Convention Center
          • Central Park South
          • key (e.g. operator issued vehicle key / fob / card)
          • creditcard
          • paypass
          • applepay
          • androidpay
          • transitcard
          • accountnumber
          • phone

          true - The station is a location without physical infrastructure, defined by a point (lat/lon) and/or station_area (below).
          false - The station consists of physical infrastructure (docks).

          If this field is empty, it means the station consists of physical infrastructure (docks).

          If this is a virtual station defined using the is_virtual_station field, this number represents the total number of vehicles of all types that can be parked at the virtual station.

          true - Valet services are provided at this station.
          false - Valet services are not provided at this station.

          If this field is empty, it is assumed that valet services are not provided at this station.

          This URI SHOULD be a deep link specific to this station, and SHOULD NOT be a general rental page that includes information for more than one station. The deep link SHOULD take users directly to this station, without any prompts, interstitial pages, or logins. Make sure that users can see this station even if they never previously opened the application.

          If this field is empty, it means deep linking isn’t supported in the native Android rental app.

          Note that URIs do not necessarily include the station_id for this station - other identifiers can be used by the rental app within the URI to uniquely identify this station.

          See the Analytics section for how viewing apps can report the origin of the deep link to rental apps.

          Android App Links example value: https://www.example.com/app?sid=1234567890&platform=android

          This URI SHOULD be a deep link specific to this station, and SHOULD NOT be a general rental page that includes information for more than one station. The deep link SHOULD take users directly to this station, without any prompts, interstitial pages, or logins. Make sure that users can see this station even if they never previously opened the application.

          If this field is empty, it means deep linking isn’t supported in the native iOS rental app.

          Note that the URI does not necessarily include the station_id - other identifiers can be used by the rental app within the URL to uniquely identify this station.

          See the Analytics section for how viewing apps can report the origin of the deep link to rental apps.

          iOS Universal Links example value: https://www.example.com/app?sid=1234567890&platform=ios

          This URL SHOULD be a deep link specific to this station, and SHOULD NOT be a general rental page that includes information for more than one station. The deep link SHOULD take users directly to this station, without any prompts, interstitial pages, or logins. Make sure that users can see this station even if they never previously opened the application.

          If this field is empty, it means deep linking isn’t supported for web browsers.

          Example 1: Physical station

          Example 2: Virtual station

          Describes the capacity and rental availability of a station. Data returned SHOULD be as close to realtime as possible, but in no case should it be more than 5 minutes out-of-date. See Data Latency. Data reflects the operator's most recent knowledge of the station’s status. Any station that is represented in station_status.json MUST have a corresponding entry in station_information.json .

          true - Station is installed on the street.
          false - Station is not installed on the street.

          true - Station is renting vehicles. Even if the station is empty, if it would otherwise allow rentals, this value MUST be true .
          false - Station is not renting vehicles.

          If the station is temporarily taken out of service and not allowing rentals, this field MUST be set to false .

          true - Station is accepting vehicle returns. Even if the station is full, if it would otherwise allow vehicle returns, this value MUST be true .
          false - Station is not accepting vehicle returns.

          If the station is temporarily taken out of service and not allowing vehicle returns, this field MUST be set to false .

          (as of v2.1) Describes all vehicles that are not currently in active rental. REQUIRED for free floating (dockless) vehicles. OPTIONAL for station based (docked) vehicles. Data returned SHOULD be as close to realtime as possible, but in no case should it be more than 5 minutes out-of-date. See Data Latency. Vehicles that are part of an active rental MUST NOT appear in this feed. Vehicles listed as available for rental MUST be in the field and accessible to users. Vehicles that are not accessible (e.g. in a warehouse or in transit) MUST NOT appear as available for rental.

          true - Vehicle is currently disabled.
          false - Vehicle is not currently disabled.

          This URI SHOULD be a deep link specific to this vehicle, and SHOULD NOT be a general rental page that includes information for more than one vehicle. The deep link SHOULD take users directly to this vehicle, without any prompts, interstitial pages, or logins. Make sure that users can see this vehicle even if they never previously opened the application. Note that as a best practice providers SHOULD rotate identifiers within deep links after each rental to avoid unintentionally exposing private vehicle trip origins and destinations.

          If this field is empty, it means deep linking is not supported in the native Android rental app.

          Note that URIs do not necessarily include the bike_id for this vehicle - other identifiers can be used by the rental app within the URI to uniquely identify this vehicle.

          See the Analytics section for how viewing apps can report the origin of the deep link to rental apps.

          Android App Links example value: https://www.example.com/app?sid=1234567890&platform=android

          This URI SHOULD be a deep link specific to this vehicle, and SHOULD NOT be a general rental page that includes information for more than one vehicle. The deep link SHOULD take users directly to this vehicle, without any prompts, interstitial pages, or logins. Make sure that users can see this vehicle even if they never previously opened the application. Note that as a best practice providers SHOULD rotate identifiers within deep links after each rental to avoid unintentionally exposing private vehicle trip origins and destinations.

          If this field is empty, it means deep linking is not supported in the native iOS rental app.

          Note that the URI does not necessarily include the bike_id - other identifiers can be used by the rental app within the URL to uniquely identify this vehicle.

          See the Analytics section for how viewing apps can report the origin of the deep link to rental apps.

          iOS Universal Links example value: https://www.example.com/app?sid=1234567890&platform=ios

          This URL SHOULD be a deep link specific to this vehicle, and SHOULD NOT be a general rental page that includes information for more than one vehicle. The deep link SHOULD take users directly to this vehicle, without any prompts, interstitial pages, or logins. Make sure that users can see this vehicle even if they never previously opened the application. Note that as a best practice providers SHOULD rotate identifiers within deep links after each rental to avoid unintentionally exposing private vehicle trip origins and destinations.

          If this field is empty, it means deep linking isn’t supported for web browsers.

          This OPTIONAL file is used to describe hours and days of operation when vehicles are available for rental. If system_hours.json is not published, it indicates that vehicles are available for rental 24 hours a day, 7 days a week.

          Field Name REQUIRED Type Defines
          rental_hours Yes Array Array of objects as defined below. The array MUST contain a minimum of one object identifying hours for every day of the week or a maximum of two for each day of the week objects ( one for each user type).
          - user_types Yes Array An array of member and/or nonmember value(s). This indicates that this set of rental hours applies to either members or non-members only.
          - days Yes Array An array of abbreviations (first 3 letters) of English names of the days of the week for which this object applies (e.g. ["mon", "tue", "wed", "thu", "fri", "sat, "sun"] ). Rental hours MUST NOT be defined more than once for each day and user type.
          - start_time Yes Time Start time for the hours of operation of the system in the time zone indicated in system_information.json.
          - end_time Yes Time End time for the hours of operation of the system in the time zone indicated in system_information.json.

          Describes the operating calendar for a system. This OPTIONAL file SHOULD be published by systems that operate seasonally or do not offer continuous year-round service.

          Field Name REQUIRED Type Defines
          calendars Yes Array Array of objects describing the system operational calendar. A minimum of one calendar object is REQUIRED. If start and end dates are the same every year, then start_year and end_year SHOULD be omitted.
          - start_month Yes Non-negative Integer Starting month for the system operations ( 1 - 12 ).
          - start_day Yes Non-negative Integer Starting date for the system operations ( 1 - 31 ).
          - start_year OPTIONAL Non-negative Integer Starting year for the system operations.
          - end_month Yes Non-negative Integer Ending month for the system operations ( 1 - 12 ).
          - end_day Yes Non-negative Integer Ending date for the system operations ( 1 - 31 ).
          - end_year OPTIONAL Non-negative Integer Ending year for the system operations.

          Describe regions for a system that is broken up by geographic or political region.