lotusrb 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 320e113169441d3fdb7bb851a72be8f17de2ec49
-  data.tar.gz: 89278bf192dad6ddeb32eba05f20fd140d455448
+  metadata.gz: b55d7a5c85223bdd933991a7dd042bc9319346c4
+  data.tar.gz: 64b71e0266d64d7ffcdf65af2f7d6309432dc673
 SHA512:
-  metadata.gz: 8f603661a19cc39c20aefa34afc8e150b0c1beb3d833658c4b075035b8fadb9c1d565f4b98907ff9ad4e44d71bec591f5542ca1c45e79a6b447ef2cf1ed24aa7
-  data.tar.gz: a29f1c9c800a857ce759e5d61618ee366afdb710dae60bc628142311d9a5daaf8904791cd023c77f538a3525f5f5a91fd4008064d6319f73449016f1cbcd0e4c
+  metadata.gz: b8fbd473ccaedb272a101587f25ed494cc1a6bd43d3dbd89971baef2520293398358153dc0d5d231fe2dd8ab4f06fcf50b242990b0ae95ec48064e2cf06d52e3
+  data.tar.gz: 2365f2e8fb616a841d670adc1d29a59fc1004dc1e05fc9039ff9da52349407aecdbf245b392c9eb0bc6e8a21a061d8262f5115948540f5b34f221b7271a45955

data/CHANGELOG.md

@@ -1,20 +1,37 @@
 # Lotus
 A complete web framework for Ruby
 
+## v0.3.0 - 2015-03-23
+### Added
+- [Luca Guidi] Introduced action generator. Eg. `bundle exec lotus generate action web dashboard#index`
+- [Alfonso Uceda Pompa] Allow to specify default coookies options in application configuration. Eg. `cookies true, { domain: 'lotusrb.org' }`
+- [Tom Kadwill] Include `Lotus::Helpers` in views.
+- [Linus Pettersson] Allow to specify `--database` CLI option when generate a new application. Eg. `lotus new bookshelf --database=postgresql`
+- [Linus Pettersson] Initialize a Git repository when generating a new application
+- [Alfonso Uceda Pompa] Produce `.lotusrc` when generating a new application
+- [Alfonso Uceda Pompa] Security HTTP headers. `X-Frame-Options` and `Content-Security-Policy` are now enabled by default.
+- [Linus Pettersson] Database console. Run with `bundle exec lotus db console`
+- [Luca Guidi] Dynamic finders for relative and absolute routes. It implements method missing: `Web::Routes.home_path` will resolve to `Web::Routes.path(:home)`.
+
+### Changed
+– [Alfonso Uceda Pompa] Cookies will send `HttpOnly` by default. This is for security reasons.
+- [Jan Lelis] Enable `templates` configuration for new generated apps
+- [Mark Connell] Change SQLite file extension from `.db` to `.sqlite3`
+
 ## v0.2.1 - 2015-02-06
 ### Added
-- [Huy Do] Introduced `Lotus::Logger`
+- [Huy Đỗ] Introduced `Lotus::Logger`
 - [Jimmy Zhang] `lotus new` accepts a `--path` argument
 - [Jimmy Zhang] Application generator for the current directory (`lotus new .`). This is useful to provide a web deliverable for existing Ruby gems.
 - [Trung Lê] Add example mapping file for application generator: `lib/config/mapping.rb`
-- [Hieu Nguyen] RSpec support for application generator: `--test=rspec` or `--test=minitest` (default)
+- [Hiếu Nguyễn] RSpec support for application generator: `--test=rspec` or `--test=minitest` (default)
 
 ### Fixed
 - [Luca Guidi] `lotus version` to previx `v` (eg `v0.2.1`)
 - [Rob Yurkowski] Ensure application name doesn't contain special or forbidden characters
 - [Luca Guidi] Ensure all the applications are loaded in console
 - [Trung Lê] Container architecture: preload only `lib/<appname>/**/*.rb`
-- [Hieu Nguyen] Fixed `lotus new` to print usage when application name isn't provided
+- [Hiếu Nguyễn] Fixed `lotus new` to print usage when application name isn't provided
 
 ## v0.2.0 - 2014-06-23
 ### Added

data/FEATURES.md

@@ -0,0 +1,94 @@
+# Lotus
+### A complete web framework for Ruby
+
+## Features
+
+## v0.3.0 - 2015-03-23
+
+- CLI: `lotus generate action web dashboard#index`. It generates an action, a view, a template, a route and related unit test files.
+- CLI: `lotus db console`. It starts a database REPL.
+- Full featured HTML5 markup generator for views (Eg. `html.div { p "Hello World" }`)
+- Routing helpers in views and templates (Eg. `routes.home_path`).
+- `lotus new` supports `--database` (Eg. `lotus new bookshelf --database=postgresql`).
+- Initialize a Git repository when generate a new application
+- Security: XSS (Cross Site Scripting) protections
+- Security: Clickhijacking protection
+- Security: Cookies are set as `HttpOnly` by default.
+- Security: enable by default `X-Frame-Options` and `Content-Security-Policy` HTTP headers for new generated applications.
+- Security: auto-escape output of presenters.
+- Security: auto-escape output of virtual an concrete view methods.
+- Security: view and template helpers for HTML, HTML attributes and URL escape. It's based on OWASP/ESAPI recommendations.
+- Access nested action params with a safe API (`params.get('address.city')`).
+- Interactors (aka Service Objects)
+- Database transactions
+
+## v0.2.1 - 2015-02-06
+
+- Allow entities to include validations.
+- `lotus new .` to generate a Lotus application for an existing code base (Eg. a gem that needs a web UI).
+- `lotus new` supports `--path` (for destination directory), `--test` (to generate Minitest or RSpec boilerplate).
+- Lotus logger
+
+## v0.2.0 - 2014-12-23
+
+- Support Minitest as default testing framework (`bundle exec rake` runs the entire test suite of an application).
+- Support for _Method Override_ technique.
+- Custom templates for non successful responses (Eg. `404.html.erb`).
+- Support distinct `.env` files for each Lotus environment.
+- Allow to configure multiple applications and handle Lotus environments accordingly.
+- Allow to configure middleware stack, routes, database mapping and adapter for each application.
+- Show a welcome page with instructions for new generated apps.
+- CLI: `lotus routes`. It prints all the routes available for all the applications.
+- CLI: `lotus new`. It generates a new application which can run multiple Lotus applications (_Container_ architecture).
+- CLI: `lotus console`. It starts a Ruby REPL. It supports IRB (default), Pry and Ripl.
+- CLI: `lotus server`. It starts a web server that supports code reloading. It supports all the Rack web servers (default: WEBRick).
+- Database adapters: File system (default for new apps)
+- Allow to share code for all the views and actions of an application
+- Reusable validations framework (mixin). It supports: coercions and presence, format, acceptance, size, inclusion, exclusion, confirmation validations.
+- Default Content-Type and Charset for responses
+- Whitelist accepted MIME Types
+- Custom exception handlers for actions
+- Unique identifier for incoming HTTP requests
+- Nested action params
+- Action params _indifferent access_, whitelisting, validations and coercions
+- HTTP caching (`Cache-Control`, `Last-Modified`, ETAG, Conditional GET, expires)
+- JSON body parser for non-GET HTTP requests
+- Routes inspector for CLI
+
+## v0.1.0 - 2014-06-23
+
+- Run multiple Lotus applications in the same Ruby process
+- Serve static files
+- Render default pages for non successful responses (404, 500, etc.)
+- Support multiple Lotus environments (development, test and production)
+- Full stack applications
+- Data mapper
+- Database adapters: Memory and SQL
+- Reusable scopes for repositories
+- Repositories
+- Entities
+- Custom rendering implementation via `#render` override in views
+- Render partials and templates
+- Presenters
+- Layouts
+- Views are able to handle multiple MIME Types according to the defined templates
+- Support for all the most common template engines for Ruby. Including ERb, Slim, HAML, etc.
+- Basic view rendering with templates
+- Bypass rendering by setting a response body in actions (`self.body = "Hello"`)
+- Single actions are able to mount Rack middleware
+- Automatic MIME Type handling for request and responses
+- HTTP sessions
+- HTTP cookies
+- HTTP redirect
+- Action before/after callbacks
+- Handle exceptions with HTTP statuses
+- Action exposures, to expose a payload to pass to the other application layers
+- Actions compatible with Rack
+- Mount Rack applications
+- Nested route namespaces
+- RESTful resource(s), including collection and member actions
+- Named routes, routes constraints, variables, catch-all
+- Compatibility with Lotus::Controller
+- HTTP redirect from the router
+- HTTP routing compatible with Rack
+- Thread safety

data/README.md

@@ -4,17 +4,19 @@ A complete web framework for Ruby
 
 ## Frameworks
 
-Lotus combines together small but yet powerful frameworks:
+Lotus combines small yet powerful frameworks:
 
 * [**Lotus::Utils**](https://github.com/lotus/utils) - Ruby core extentions and class utilities
 * [**Lotus::Router**](https://github.com/lotus/router) - Rack compatible HTTP router for Ruby
 * [**Lotus::Validations**](https://github.com/lotus/validations) - Validation mixin for Ruby objects
+* [**Lotus::Helpers**](https://github.com/lotus/helpers) - View helpers for Ruby applications
 * [**Lotus::Model**](https://github.com/lotus/model) - Persistence with entities, repositories and data mapper
 * [**Lotus::View**](https://github.com/lotus/view) - Presentation with a separation between views and templates
+* [**Lotus::Helpers**](https://github.com/lotus/helpers) - Presentation helpers for views
 * [**Lotus::Controller**](https://github.com/lotus/controller) - Full featured, fast and testable actions for Rack
 
-All those components are designed to be used independently from each other or to work together in a Lotus application.
-If your aren't familiar with them, please take time to go through their READMEs.
+These components are designed to be used independently or together in a Lotus application.
+If you aren't familiar with them, please take time to go through their READMEs.
 
 ## Status
 
@@ -32,7 +34,8 @@ If your aren't familiar with them, please take time to go through their READMEs.
 * API Doc: http://rdoc.info/gems/lotusrb
 * Bugs/Issues: https://github.com/lotus/lotus/issues
 * Support: http://stackoverflow.com/questions/tagged/lotus-ruby
-* Chat: https://gitter.im/lotus/chat
+* Forum: https://discuss.lotusrb.org
+* Chat: http://chat.lotusrb.org
 
 ## Rubies
 
@@ -62,13 +65,13 @@ Developers can arrange the layout of their projects as they prefer.
 There is a suggested architecture that can be easily changed with a few settings.
 
 Lotus encourages the use of Ruby namespaces. This is based on the experience of working on dozens of projects.
-By using Ruby namespaces, as your code grows it can be split with less effort. In other words, Lotus is providing gentle guidance for **avoid monolithic applications**.
+By using Ruby namespaces, as your code grows it can be split with less effort. In other words, Lotus is providing gentle guidance for **avoiding monolithic applications**.
 
 Lotus has a smart **mechanism of duplication of its frameworks**.
 It allows multiple copies of the framework and multiple applications to run in the **same Ruby process**.
-In other words, Lotus applications are ready to be split into smaller parts but these parts can coexist in the same heap space.
+In other words, Lotus applications are ready to be split into smaller parts, but these parts can coexist in the same heap space.
 
-All this adaptability can be helpful to bend the framework for your advanced needs, but we recognize the need of a guidance in standard architectures.
+All this adaptability can be helpful to bend the framework for your advanced requirements, but we recognize the need for guidance in standard architectures.
 For this reason Lotus is shipped with code generators.
 
 
@@ -76,29 +79,28 @@ For this reason Lotus is shipped with code generators.
 
 **TL;DR: Develop your application like a gem. Implement use cases in `lib/`. Use one or more Lotus applications in `apps/`.**
 
-This is the default architecture.
-When your are about to start a new project use it.
+This is the default architecture. Use it when you are ready to begin a new project.
 
 The core of this architecture lives in `lib/`, where developers should build features **independently from the delivery mechanism**.
 
-Imagine you are building a personal finance application, and you have a feature called _"register expense"_. This functionality involves `Money` and `Expense` Ruby objects and the need of persisting data into a database. You can have those classes living in `lib/pocket/money.rb` and `lib/pocket/expense.rb` and use [Lotus::Model](https://github.com/lotus/model) to persist them.
+Imagine you are building a personal finance application, and you have a feature called _"register expense."_ This functionality involves `Money` and `Expense` Ruby objects and the need for persisting data into a database. You can have those classes living in `lib/pocket/money.rb` and `lib/pocket/expense.rb` and use [Lotus::Model](https://github.com/lotus/model) to persist them.
 
 It's based on a few simple concepts: **use cases** and **applications**.
 Use cases (features) should be implemented in `lib/` with a combination of pure objects and the needed Ruby gems.
-One or more Lotus applications live in `apps/`. They are isolated each other, and depend only on the code in `lib/`.
+One or more Lotus applications live in `apps/`. They are isolated from each other, and depend only on the code in `lib/`.
 
-Each of them should serve for only one purpose: user facing web application, administrative backend, JSON API, metrics dashboard, etc.
+Each application should serve only one purpose: user-facing web application, administrative backend, JSON API, metrics dashboard, etc.
 
 This architecture has important advantages:
 
-  * **Code reusability.** You can consume a feature from the Web UI or from a HTTP API. Each one can be different Lotus application or simple Rack based endpoints.
+  * **Code reusability.** You can consume a feature from the Web UI or from a HTTP API. Each can be a different Lotus application or simple Rack-based endpoints.
   * **Decoupled components.** The core of your application depends only on a few gems and it doesn't need to worry about the Web/HTTP/Console/Background jobs.
-  * **Applications are built like a gem**, this ease the process of package them and share between projects, without the need of carry a lot of dependencies.
-  * **Avoid monoliths**. Each Lotus application under `apps/` is a candidate for later on extraction into a separated [_microservice_](http://martinfowler.com/articles/microservices.html).
+  * **Applications are built like gems.** This eases the process of packaging and sharing them among projects, without the need for many dependencies.
+  * **Avoid monoliths**. Each Lotus application under `apps/` is a candidate for later extraction into a separated [_microservice_](http://martinfowler.com/articles/microservices.html).
 
-The last point is crucial. In the early days of a new project is really convenient to build and deploy all the code together.
-But as the time passes, it can become nearly impossible to extract sets of cohesive functionalities into separated deliverables.
-Lotus helps to plan those things ahead of time, but without the burden that is required by those choices, because it support multiple applications natively.
+The last point is crucial. In the early days of a new project it is convenient to build and deploy all the code together.
+However, as time passes, it can become nearly impossible to extract sets of cohesive functionalities into separated deliverables.
+Lotus helps to plan those things ahead of time, but without the burden that is required by those choices, because it supports multiple applications natively.
 
 Here's the name _**container**_: a Lotus _"shell"_ that can run multiple micro applications in the same process.
 
@@ -122,7 +124,7 @@ _upcoming_
 * Lotus expects controllers, actions and views to have a specific pattern (see [Configuration](#configuration) for customizations)
 * All the commands must be run from the root of the project. If this requirement cannot be satisfied, please hardcode the path with `Configuration#root`.
 * The template name must reflect the name of the corresponding view: `Bookshelf::Views::Dashboard::Index` for `dashboard/index.html.erb`.
-* All the static files are served by the internal Rack middleware stack.
+* All static files are served by the internal Rack middleware stack.
 * The application expects to find static files under `public/` (see `Configuration#assets`)
 * If the public folder doesn't exist, it doesn't serve static files.
 
@@ -235,7 +237,7 @@ module Bookshelf
       #           uri:  String, 'file:///db/bookshelf'
       #                         'memory://localhost/bookshelf'
       #                         'sqlite:memory:'
-      #                         'sqlite://db/bookshelf.db'
+      #                         'sqlite://db/bookshelf.sqlite3'
       #                         'postgres://localhost/bookshelf'
       #                         'mysql://localhost/bookshelf'
       #
@@ -290,6 +292,22 @@ module Bookshelf
       #
       serve_assets true
 
+      ###########################
+      # SECURITY CONFIGURATIONS #
+      ###########################
+
+      # Set a default value for X-Frame-Options HTTP header
+      # Argument: String
+      # Remove this line to disable this feature
+      #
+      security.x_frame_options "DENY"
+
+      # Set a default value for Content-Security-Policy HTTP header
+      # Argument: String
+      # Remove this line to disable this feature
+      #
+      security.content_security_policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
+
       #############################
       # FRAMEWORKS CONFIGURATIONS #
       #############################
@@ -301,7 +319,7 @@ module Bookshelf
       # Argument: Proc
       #
       view.prepare do
-        include MyCustomRoutingHelpers # included by all the views
+        include Lotus::Helpers # they will be included in all the views
       end
 
       # Low level configuration for Lotus::Controller (optional)
@@ -344,14 +362,47 @@ It supports **code reloading** feature by default, useful for development purpos
 % bundle exec lotus server
 ```
 
+### Generators
+
+#### Action generator
+
+It generates an **action**, a **view**, a **template**, a **route** and the relative unit tests.
+
+```shell
+% bundle exec lotus generate action web dashboard#index
+```
+
+The `web` argument is the name of the application under `apps/`.
+The `dashboard#index` argument is the name of the controller and the name of the action.
+
+It generates Minitest/RSpec files according to `test` setting in `.lotusrc`.
+It generates an empty template with the template engine extension (`template`) setting in `.lotusrc`.
+
+It generates the following files:
+
+  * `apps/web/controllers/dashboard/index.rb`
+  * `spec/web/controllers/dashboard/index_spec.rb`
+  * `apps/web/views/dashboard/index.rb`
+  * `spec/web/views/dashboard/index_spec.rb`
+  * `apps/web/templates/dashboard/index.html.erb` (**empty file**)
+  * Amend `apps/web/config/routes.rb` with a new route
+
 ### Console
 
-It starts a REPL, by using the engine defined in your `Gemfile`. It defaults to IRb. **Run it from the root of the application**.
+It starts a REPL, by using the engine defined in your `Gemfile`. It defaults to IRB. **Run it from the root of the application**.
 
 ```shell
 % bundle exec lotus console
 ```
 
+### Database console
+
+It starts a database REPL, by looking at your database configuration under `lib/. **Run it from the root of the application**.
+
+```shell
+% bundle exec lotus db console
+```
+
 It supports **code reloading** via the `reload!` command.
 
 ### Routes

data/lib/lotus/cli.rb

@@ -61,12 +61,13 @@ module Lotus
     end
 
     desc 'new', 'generates a new application'
-    method_option :architecture,   aliases: '-a', desc: 'application architecture',   type: :string,  default: 'container'
-    method_option :application,                   desc: 'application name',           type: :string,  default: 'web'
-    method_option :application_base_url,          desc: 'application base url',       type: :string,  default: '/'
-    method_option :path,                          desc: 'path',                       type: :string
+    method_option :database,       aliases: '-d', desc: 'application database',     type: :string,  default: 'filesystem'
+    method_option :architecture,   aliases: '-a', desc: 'application architecture', type: :string,  default: 'container'
+    method_option :application,                   desc: 'application name',         type: :string,  default: 'web'
+    method_option :application_base_url,          desc: 'application base url',     type: :string,  default: '/'
+    method_option :path,                          desc: 'path',                     type: :string
     method_option :test,                          desc: 'application test framework (rspec/minitest)', type: :string,  default: 'minitest'
-    method_option :lotus_head,                    desc: 'use Lotus HEAD',             type: :boolean, default: false
+    method_option :lotus_head,                    desc: 'use Lotus HEAD',           type: :boolean, default: false
     method_option :help,           aliases: '-h', desc: 'displays the usage method'
 
     def new(name = nil)
@@ -78,6 +79,24 @@ module Lotus
       end
     end
 
+    desc 'generate', 'generates a new action'
+    method_option :path,                desc: 'applications path',        type: :string, default: 'apps'
+    method_option :help, aliases: '-h', desc: 'displays the usage method'
+
+    # @since 0.3.0
+    # @api private
+    def generate(type = nil, app_name = nil, name = nil)
+      if options[:help] || (type.nil? && app_name.nil? && name.nil?)
+        invoke :help, ['generate']
+      else
+        require 'lotus/commands/generate'
+        Lotus::Commands::Generate.new(type, app_name, name, environment, self).start
+      end
+    end
+
+    require 'lotus/commands/db'
+    register Lotus::Commands::DB, 'db', 'db [SUBCOMMAND]', 'manage set of DB operations'
+
     private
 
     def environment

data/lib/lotus/commands/db/console.rb

@@ -0,0 +1,54 @@
+require 'lotus/utils/class'
+
+module Lotus
+  module Commands
+    class DB
+      class Console
+        attr_reader :name, :env_options, :environment
+
+        def initialize(name, environment)
+          @name        = name
+          @environment = environment
+          @env_options = environment.to_options
+          load_config
+        end
+
+        def start
+          exec connection_string
+        end
+
+        private
+
+        def config
+          if name
+            app_constant = Lotus::Utils::Class.load_from_pattern!(Lotus::Utils::String.new(name).classify)
+            Lotus::Utils::Class.load_from_pattern!("#{app_constant}::Application").load!
+            Lotus::Utils::Class.load_from_pattern!("#{app_constant}::Model").configuration
+          else
+            Lotus::Model.configuration
+          end
+        end
+
+        def adapter_config
+          config.adapter_config
+        end
+
+        def mapper
+          config.mapper
+        end
+
+        def adapter_class
+          Lotus::Utils::Class.load_from_pattern!(adapter_config.class_name, Lotus::Model::Adapters)
+        end
+
+        def connection_string
+          adapter_class.new(mapper, adapter_config.uri).connection_string
+        end
+
+        def load_config
+          require @env_options[:env_config]
+        end
+      end
+    end
+  end
+end

data/lib/lotus/commands/db.rb

@@ -0,0 +1,27 @@
+module Lotus
+  module Commands
+    class DB < Thor
+      namespace :db
+
+      desc 'db console', 'start DB console'
+
+      desc 'console', 'start DB console'
+      method_option :environment, desc: 'path to environment configuration (config/environment.rb)'
+
+      def console(name = nil)
+        if options[:help]
+          invoke :help, ['console']
+        else
+          require 'lotus/commands/db/console'
+          Lotus::Commands::DB::Console.new(name, environment).start
+        end
+      end
+
+      private
+
+      def environment
+        Lotus::Environment.new(options)
+      end
+    end
+  end
+end

data/lib/lotus/commands/generate.rb

@@ -0,0 +1,70 @@
+require 'pathname'
+require 'lotus/utils/string'
+require 'lotus/utils/class'
+
+module Lotus
+  module Commands
+    # @since 0.3.0
+    # @api private
+    class Generate
+      # @since 0.3.0
+      # @api private
+      GENERATORS_NAMESPACE = "Lotus::Generators::%s".freeze
+
+      # @since 0.3.0
+      # @api private
+      class Error < ::StandardError
+      end
+
+      # @since 0.3.0
+      # @api private
+      attr_reader :cli, :source, :target, :app, :app_name, :name, :options
+
+      # @since 0.3.0
+      # @api private
+      def initialize(type, app_name, name, env, cli)
+        @cli      = cli
+        @options  = env.to_options.merge(cli.options)
+
+        @app_name = app_name
+        @app      = Utils::String.new(@app_name).classify
+
+        @name     = name
+        @type     = type
+
+        @source   = Pathname.new(::File.dirname(__FILE__) + "/../generators/#{ @type }/").realpath
+        @target   = Pathname.pwd.realpath
+      end
+
+      # @since 0.3.0
+      # @api private
+      def start
+        generator.start
+      rescue Error => e
+        puts e.message
+        exit 1
+      end
+
+      # @since 0.3.0
+      # @api private
+      def app_root
+        @app_root ||= Pathname.new([@options[:path], @app_name].join(::File::SEPARATOR))
+      end
+
+      # @since 0.3.0
+      # @api private
+      def spec_root
+        @spec_root ||= Pathname.new('spec')
+      end
+
+      private
+      # @since 0.3.0
+      # @api private
+      def generator
+        require "lotus/generators/#{ @type }"
+        class_name = Utils::String.new(@type).classify
+        Utils::Class.load!(GENERATORS_NAMESPACE % class_name).new(self)
+      end
+    end
+  end
+end

data/lib/lotus/config/cookies.rb

@@ -0,0 +1,47 @@
+module Lotus
+  module Config
+    # Cookies configuration
+    #
+    # @since 0.3.0
+    # @api private
+    class Cookies
+
+      # Return the routes for this application
+      #
+      # @return [Hash] options for cookies
+      #
+      # @since 0.3.0
+      # @api private
+      attr_reader :default_options
+
+      # Cookies configuration
+      #
+      # httponly option enabled by default.
+      # Prevent attackers to steal cookies via JavaScript,
+      # Eg. alert(document.cookie) will fail
+      #
+      # @param enabled [TrueClass, FalseClass] enable cookies
+      # @param options [Hash] optional cookies options
+      #
+      # @since 0.3.0
+      # @api private
+      #
+      # @see https://github.com/rack/rack/blob/master/lib/rack/utils.rb #set_cookie_header!
+      # @see https://www.owasp.org/index.php/HttpOnly
+      def initialize(enabled = false, options = {})
+        @enabled         = enabled
+        @default_options = { httponly: true }.merge(options)
+      end
+
+      # Return if cookies are enabled
+      #
+      # @return [TrueClass, FalseClass] enabled cookies
+      #
+      # @since 0.3.0
+      # @api private
+      def enabled?
+        !!@enabled
+      end
+    end
+  end
+end

data/lib/lotus/config/security.rb

@@ -0,0 +1,58 @@
+module Lotus
+  module Config
+    # Security policies are stored here.
+    #
+    # @since 0.3.0
+    class Security
+      # @since 0.3.0
+      # @api private
+      #
+      # @see Lotus::Loader#_configure_controller_framework!
+      X_FRAME_OPTIONS_HEADER = 'X-Frame-Options'.freeze
+
+      # @since 0.3.0
+      # @api private
+      #
+      # @see Lotus::Loader#_configure_controller_framework!
+      CONTENT_SECURITY_POLICY_HEADER = 'Content-Security-Policy'.freeze
+
+      # X-Frame-Options headers' value
+      #
+      # @overload x_frame_options(value)
+      #   Sets the given value
+      #   @param value [String] for X-Frame-Options header.
+      #
+      # @overload x_frame_options
+      #   Gets the value
+      #   @return [String] X-Frame-Options header's value
+      #
+      # @since 0.3.0
+      def x_frame_options(value = nil)
+        if value.nil?
+          @x_frame_options
+        else
+          @x_frame_options = value
+        end
+      end
+
+      # Content-Policy-Security headers' value
+      #
+      # @overload content_security_policy(value)
+      #   Sets the given value
+      #   @param value [String] for Content-Security-Policy header.
+      #
+      # @overload content_security_policy
+      #   Gets the value
+      #   @return [String] Content-Security-Policy header's value
+      #
+      # @since 0.3.0
+      def content_security_policy(value = nil)
+        if value.nil?
+          @content_security_policy
+        else
+          @content_security_policy = value
+        end
+      end
+    end
+  end
+end