cuba-secure_headers 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5825ac4fba6dec67702d332095ad0389af9a4f58
+  data.tar.gz: 0ef1043e6bb07bd07d6faa5c3c77b5615425e1a3
+SHA512:
+  metadata.gz: 7ae544dafa870f78eb0bf4183e4fad2a41f65533a78c5fcdb905bbce1b1e13ac170845fc859659c48294f81fd287f3c221027678a0804772d867421649764818
+  data.tar.gz: 3d1eb6c90eca6814c2905fc8e1de9c5e6fcceb0e03ea6bd08d64c4ba0f584a41d2ac92a35a30dd6da2229b8c7d53efa72da183a7e313f6fbbac997b7588dc762

data/.gems

@@ -0,0 +1,4 @@
+cutest -v 1.2.2
+cuba -v 3.3.0
+rack-protection -v 1.5.3
+benchmark-ips -v 2.1.0

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2015-Present Francesco Rodríguez, Mayn Kjær
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,36 @@
+cuba-secure_headers
+===================
+
+Security related headers for Cuba applications. It's heavily inspired
+by [secureheaders][secureheaders].
+
+Description
+-----------
+
+This gem applies the following headers:
+
+- HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks.  [HSTS Specification](https://tools.ietf.org/html/rfc6797)
+- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
+- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
+- X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
+- X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
+- X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
+
+Usage
+-----
+
+```ruby
+require "cuba"
+require "cuba/secure_headers"
+
+Cuba.plugin(Cuba::SecureHeaders)
+```
+
+Installation
+------------
+
+```
+$ gem install cuba-secure_headers
+```
+
+[secureheaders]: https://github.com/twitter/secureheaders

data/benchmark/secure_headers.rb

@@ -0,0 +1,56 @@
+require "benchmark/ips"
+require "cuba"
+require "rack/protection"
+require_relative "../lib/cuba/secure_headers"
+
+# Cuba::SecureHeaders sets:
+#
+#   - X-XSS-Protection
+#   - X-Frame-Options
+#   - X-Content-Type-Options
+#   - X-Download-Options
+#   - X-Permitted-Cross-Domain-Policies
+#
+class CubaSecureHeaders < Cuba
+  plugin(Cuba::SecureHeaders)
+
+  define do
+    on root do
+      res.write("hello")
+    end
+  end
+end
+
+# Rack::Protection only sets:
+#
+#   - X-XSS-Protection
+#   - X-Frame-Options
+#   - X-Content-Type-Options
+#
+class RackProtection < Cuba
+  use(Rack::Protection::FrameOptions)
+  use(Rack::Protection::XSSHeader)
+
+  define do
+    on root do
+      res.write("hello")
+    end
+  end
+end
+
+Benchmark.ips do |x|
+  x.report("rack-protection") do
+    RackProtection.call("PATH_INFO" => "/", "SCRIPT_NAME" => "/")
+  end
+
+  x.report("cuba-secure_headers") do
+    CubaSecureHeaders.call("PATH_INFO" => "/", "SCRIPT_NAME" => "/")
+  end
+end
+
+# Calculating -------------------------------------
+#      rack-protection     4.938k i/100ms
+#  cuba-secure_headers     6.750k i/100ms
+# -------------------------------------------------
+#      rack-protection     50.248k (± 7.7%) i/s -    251.838k
+#  cuba-secure_headers     76.533k (± 3.5%) i/s -    384.750k

data/cuba-secure_headers.gemspec

@@ -0,0 +1,15 @@
+Gem::Specification.new do |s|
+  s.name = "cuba-secure_headers"
+  s.version = "0.0.1"
+  s.summary = "Secure HTTP headers for Cuba"
+  s.description = s.summary
+  s.authors = ["Francesco Rodríguez", "Mayn Kjær"]
+  s.email = ["frodsan@me.com", "mayn.kjaer@gmail.com"]
+  s.homepage = "https://github.com/harmoni-io/cuba-secure_headers"
+  s.license = "MIT"
+
+  s.files = `git ls-files`.split("\n")
+
+  s.add_dependency "cuba"
+  s.add_development_dependency "cutest"
+end

data/lib/cuba/secure_headers.rb

@@ -0,0 +1,22 @@
+require "cuba"
+
+module Cuba::SecureHeaders
+  class SafeResponse < ::Cuba::Response
+    HEADERS = {
+      "X-Content-Type-Options" => "nosniff",
+      "X-Download-Options" => "noopen",
+      "X-Frame-Options" => "SAMEORIGIN",
+      "X-Permitted-Cross-Domain-Policies" => "none",
+      "X-XSS-Protection" => "1; mode=block",
+      "Strict-Transport-Security" => "max-age=631138519; includeSubdomains; preload"
+    }
+
+    def initialize(status = nil, headers = HEADERS.dup)
+      super(status, headers)
+    end
+  end
+
+  def self.setup(app)
+    app.settings[:res] = SafeResponse
+  end
+end

data/makefile

@@ -0,0 +1,7 @@
+.PHONY: test
+
+gem:
+	gem build cuba-secure_headers.gemspec
+
+test:
+	cutest test/*.rb

data/test/secure_headers.rb

@@ -0,0 +1,20 @@
+require "cutest"
+require_relative "../lib/cuba/secure_headers"
+
+test "secure headers" do
+  Cuba.plugin(Cuba::SecureHeaders)
+
+  Cuba.define do
+    on root do
+      res.write("hello")
+    end
+  end
+
+  _, headers, _ = Cuba.call("PATH_INFO" => "/", "SCRIPT_NAME" => "/")
+
+  secure_headers = Cuba::SecureHeaders::SafeResponse::HEADERS
+  secure_headers.each do |header, value|
+    assert_equal(value, headers[header])
+  end
+end
+

metadata

@@ -0,0 +1,82 @@
+--- !ruby/object:Gem::Specification
+name: cuba-secure_headers
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Francesco Rodríguez
+- Mayn Kjær
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-01-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cuba
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cutest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Secure HTTP headers for Cuba
+email:
+- frodsan@me.com
+- mayn.kjaer@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gems"
+- LICENSE
+- README.md
+- benchmark/secure_headers.rb
+- cuba-secure_headers.gemspec
+- lib/cuba/secure_headers.rb
+- makefile
+- test/secure_headers.rb
+homepage: https://github.com/harmoni-io/cuba-secure_headers
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Secure HTTP headers for Cuba
+test_files: []