http-security 0.1.0

data/lib/http/security/version.rb

@@ -0,0 +1,5 @@
+module HTTP
+  module Security
+    VERSION = "0.1.0"
+  end
+end

data/spec/data/alexa.csv

@@ -0,0 +1,100 @@
+1,Google.com
+2,Facebook.com
+3,Youtube.com
+4,Yahoo.com
+5,Baidu.com
+6,Wikipedia.org
+7,Amazon.com
+8,Twitter.com
+9,Taobao.com
+10,Qq.com
+11,Google.co.in
+12,Live.com
+13,Linkedin.com
+14,Sina.com.cn
+15,Hao123.com
+16,Weibo.com
+17,Blogspot.com
+18,Yahoo.co.jp
+19,Tmall.com
+20,Yandex.ru
+21,Vk.com
+22,Ebay.com
+23,Google.de
+24,Sohu.com
+25,Bing.com
+26,Ask.com
+27,Wordpress.com
+28,Pinterest.com
+29,360.cn
+30,Google.co.uk
+31,Msn.com
+32,Google.co.jp
+33,Instagram.com
+34,Reddit.com
+35,Tumblr.com
+36,Google.fr
+37,Apple.com
+38,Google.com.br
+39,Mail.ru
+40,Imgur.com
+41,Xvideos.com
+42,163.com
+43,Paypal.com
+44,Google.ru
+45,Microsoft.com
+46,Alibaba.com
+47,Soso.com
+48,Adcash.com
+49,Aliexpress.com
+50,T.co
+51,Google.it
+52,Imdb.com
+53,Amazon.co.jp
+54,Go.com
+55,Google.es
+56,Craigslist.org
+57,Stackoverflow.com
+58,Xhamster.com
+59,Amazon.de
+60,Fc2.com
+61,Google.ca
+62,Espn.go.com
+63,Google.com.mx
+64,Onclickads.net
+65,Akamaihd.net
+66,Netflix.com
+67,Flipkart.com
+68,Gmw.cn
+69,Cnn.com
+70,Bbc.co.uk
+71,Adobe.com
+72,Google.com.hk
+73,Google.com.tr
+74,Amazon.co.uk
+75,Pornhub.com
+76,Huffingtonpost.com
+77,Dropbox.com
+78,Ebay.de
+79,Google.com.au
+80,Google.pl
+81,Kickass.to
+82,Odnoklassniki.ru
+83,Googleusercontent.com
+84,Dailymotion.com
+85,Blogger.com
+86,People.com.cn
+87,Rakuten.co.jp
+88,Amazon.in
+89,Thepiratebay.se
+90,Naver.com
+91,Xnxx.com
+92,Nytimes.com
+93,Xinhuanet.com
+94,Buzzfeed.com
+95,Pixnet.net
+96,Alipay.com
+97,Indiatimes.com
+98,Ebay.co.uk
+99,Outbrain.com
+100,Dailymail.co.uk

data/spec/headers/cache_control_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+require 'http/security/headers/cache_control'
+
+describe HTTP::Security::Headers::CacheControl do
+  let(:max_age) { 0 }
+
+  subject do
+    described_class.new(
+      private: true,
+      max_age: max_age,
+      no_cache: true
+    )
+  end
+
+  describe "#initialize" do
+    it "should set max_age" do
+      expect(subject.max_age).to be == max_age
+    end
+  end
+
+  describe "#private?" do
+    context "when private: is true" do
+      subject { described_class.new(private: true) }
+
+      it { expect(subject.private?).to be(true) }
+    end
+
+    context "when private: is false" do
+      subject { described_class.new(private: false) }
+
+      it { expect(subject.private?).to be(false) }
+    end
+  end
+
+  describe "#to_s" do
+    it "should return a comma separated list of directives" do
+      expect(subject.to_s).to be == "private, max-age=#{max_age}, no-cache"
+    end
+  end
+end

data/spec/headers/content_security_policy_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper'
+require 'http/security/headers/content_security_policy'
+
+describe HTTP::Security::Headers::ContentSecurityPolicy do
+  let(:default_src) { "'self'" }
+  let(:img_src)   { '*' }
+  let(:object_src)  { 'media1.example.com media2.example.com *.cdn.example.com' }
+  let(:script_src)  { 'trustedscripts.example.com' }
+
+  subject do
+    described_class.new(
+      default_src: default_src,
+      img_src:     img_src,
+      object_src:  object_src,
+      script_src:  script_src
+    )
+  end
+
+  describe "#initialize" do
+    it "should set default_src"
+    it "should set script_src"
+    it "should set object_src"
+    it "should set style_src"
+    it "should set img_src"
+    it "should set media_src"
+    it "should set frame_src"
+    it "should set font_src"
+    it "should set connect_src"
+
+    context "when report_uri: is omitted" do
+      subject { described_class.new() }
+
+      it "should default it to []" do
+        expect(subject.report_uri).to be == []
+      end
+    end
+
+    it "should set sandbox"
+  end
+
+  describe "#to_s" do
+    it "should return a semicolon separated list of directives" do
+      expect(subject.to_s).to be == "default-src #{default_src}; script-src #{script_src}; object-src #{object_src}; img-src #{img_src}"
+    end
+  end
+end

data/spec/headers/pragma_spec.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+require 'http/security/headers/pragma'
+
+describe HTTP::Security::Headers::Pragma do
+  subject { described_class.new(no_cache: true) }
+
+  describe "no_cache?" do
+    context "when no_cache: was true" do
+      subject { described_class.new(no_cache: true) }
+
+      it { expect(subject.no_cache?).to be true }
+    end
+
+    context "when no_cache: was false" do
+      subject { described_class.new(no_cache: false) }
+
+      it { expect(subject.no_cache?).to be false }
+    end
+  end
+
+  describe "#to_s" do
+    it "should return a string" do
+      expect(subject.to_s).to be == "no-cache"
+    end
+  end
+end

data/spec/headers/public_key_pins_spec.rb

@@ -0,0 +1,68 @@
+require 'spec_helper'
+require 'http/security/headers/public_key_pins'
+
+require 'uri'
+
+describe HTTP::Security::Headers::PublicKeyPins do
+  let(:pin_sha256) do
+    [
+      'klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=',
+      'M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE='
+    ]
+  end
+  let(:pin_sha9000)         { 'jlkfsjlksjlkfsjfs' }
+  let(:max_age)             { 31536000 }
+  let(:include_sub_domains) { true }
+  let(:report_uri)          { URI('https://www.example.com/') }
+  let(:strict)              { true }
+
+  subject do
+    described_class.new(
+      pin_sha256:          pin_sha256,
+      'pin-sha9000' =>     pin_sha9000,
+      max_age:             max_age,
+      includesubdomains:   include_sub_domains,
+      report_uri:          report_uri,
+      strict:              strict
+    )
+  end
+
+  describe "#initialize" do
+    it "should group together pin options" do
+      expect(subject.pin).to be == {
+        sha256:      pin_sha256,
+        'sha9000' => [pin_sha9000]
+      }
+    end
+
+    it "should set max_age" do
+      expect(subject.max_age).to be max_age
+    end
+
+    it "should set include_sub_domains" do
+      expect(subject.include_sub_domains?).to be include_sub_domains
+    end
+
+    it "should set report_uri" do
+      expect(subject.report_uri).to be report_uri
+    end
+
+    it "should set strict" do
+      expect(subject.strict?).to be strict
+    end
+  end
+
+  describe "#to_s" do
+    it "should return a semicolon separated list of directives" do
+      expect(subject.to_s).to be == [
+        "pin-sha256=\"#{pin_sha256[0]}\"",
+        "pin-sha256=\"#{pin_sha256[1]}\"",
+        "pin-sha9000=\"#{pin_sha9000}\"",
+        "max-age=#{max_age}",
+        "includeSubdomains",
+        "report-uri=\"#{report_uri}\"",
+        "strict"
+      ].join('; ')
+    end
+  end
+end

data/spec/headers/set_cookie_spec.rb

@@ -0,0 +1,122 @@
+require 'spec_helper'
+require 'http/security/headers/set_cookie'
+
+require 'date'
+
+describe HTTP::Security::Headers::SetCookie do
+  let(:path)      { '/accounts' }
+  let(:expires)   { Date.parse("Wed, 09 Jun 2021 10:18:14 GMT") }
+  let(:secure)    { 'Secure' }
+  let(:domain)    { '.example.com' }
+  let(:http_only) { 'HttpOnly' }
+
+  describe described_class::Cookie do
+    let(:name)      { :foo  }
+    let(:value)     { 'bar' }
+
+    subject do
+      described_class.new(
+        cookie:    {name => value},
+        path:      path,
+        expires:   expires,
+        secure:    secure,
+        domain:    domain,
+        http_only: http_only
+      )
+    end
+
+    describe "#initialize" do
+      it "should set cookie" do
+        expect(subject.cookie).to be == {name => value}
+      end
+    end
+
+    describe "#name" do
+      it "should return the name" do
+        expect(subject.name).to be == name
+      end
+    end
+
+    describe "#value" do
+      it "should return the value" do
+        expect(subject.value).to be == value
+      end
+    end
+
+    describe "#secure?" do
+      context "when secure: was present" do
+        subject { described_class.new(secure: 'Secure') }
+
+        it { expect(subject.secure?).to be true}
+      end
+
+      context "when secure: was not present" do
+        subject { described_class.new() }
+
+        it { expect(subject.secure?).to be false }
+      end
+    end
+
+    describe "#http_only?" do
+      context "when http_only: was present" do
+        subject { described_class.new(http_only: 'HttpOnly') }
+
+        it { expect(subject.http_only?).to be true}
+      end
+
+      context "when http_only: was not present" do
+        subject { described_class.new() }
+
+        it { expect(subject.http_only?).to be false }
+      end
+    end
+
+    describe "#to_s" do
+      it "should format the cookie" do
+        expect(subject.to_s).to be == "#{name}=#{value}; Path=#{path}; Domain=#{domain}; Expires=#{expires.httpdate}; #{secure}; #{http_only}"
+      end
+    end
+  end
+
+  let(:cookies) do
+    [
+      {
+        cookie:    {foo: 'bar'},
+        path:      path,
+        domain:    domain,
+        secure:    secure,
+        http_only: http_only
+      },
+
+      {
+        cookie:  {bar: 'baz'},
+        domain:  domain,
+        path:    path,
+        expires: expires
+      }
+    ]
+  end
+
+  subject { described_class.new(cookies) }
+
+  describe "#initialize" do
+    it "should set cookies" do
+      expect(subject.cookies.length).to be == cookies.length
+      expect(subject.cookies).to all(be_kind_of(described_class::Cookie))
+    end
+  end
+
+  describe "#each" do
+    it "should enumerate over each cookie" do
+      expect { |b|
+        subject.each(&b)
+      }.to yield_successive_args(*subject.cookies)
+    end
+  end
+
+  describe "#to_s" do
+    it "should return a semicolon separated list of directives" do
+      expect(subject.to_s).to be == "foo=bar; Path=#{path}; Domain=#{domain}; Secure; HttpOnly, bar=baz; Path=#{path}; Domain=#{domain}; Expires=#{expires.httpdate}"
+    end
+  end
+end

data/spec/headers/strict_transport_security_spec.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+require 'http/security/headers/strict_transport_security'
+
+describe HTTP::Security::Headers::StrictTransportSecurity do
+  let(:max_age) { 31536000 }
+
+  subject do
+    described_class.new(
+      max_age:           max_age,
+      includesubdomains: true
+    )
+  end
+
+  describe "#initialize" do
+    it "should set max_age" do
+      expect(subject.max_age).to be == max_age
+    end
+  end
+
+  describe "#include_sub_domains?" do
+    context "when includesubdomains: was true" do
+      subject { described_class.new(includesubdomains: true) }
+
+      it { expect(subject.include_sub_domains?).to be true }
+    end
+
+    context "when includesubdomains: was false" do
+      subject { described_class.new(includesubdomains: false) }
+
+      it { expect(subject.include_sub_domains?).to be false }
+    end
+  end
+
+  describe "#to_s" do
+    it "should return a string" do
+      expect(subject.to_s).to be == "max-age=#{max_age}; includeSubDomains"
+    end
+  end
+end