otto 2.0.0.pre1 → 2.0.0.pre3

data/lib/otto/mcp.rb

@@ -0,0 +1,3 @@
+# lib/otto/mcp.rb
+
+require_relative 'mcp/server'

data/lib/otto/privacy/config.rb

@@ -0,0 +1,199 @@
+# lib/otto/privacy/config.rb
+
+require 'ipaddr'
+require 'securerandom'
+require 'digest'
+
+require 'concurrent'
+
+require_relative '../core/freezable'
+
+class Otto
+  module Privacy
+    # Configuration for IP privacy features
+    #
+    # Privacy is ENABLED by default for public IPs. Private/localhost IPs are not masked.
+    #
+    # @example Default configuration (privacy enabled)
+    #   config = Otto::Privacy::Config.new
+    #   config.enabled? # => true
+    #
+    # @example Configure masking level
+    #   config = Otto::Privacy::Config.new
+    #   config.octet_precision = 2  # Mask 2 octets instead of 1
+    #
+    class Config
+      include Otto::Core::Freezable
+
+      attr_accessor :octet_precision, :hash_rotation_period, :geo_enabled, :mask_private_ips
+      attr_reader :disabled
+
+      # Class-level rotation key storage (mutable, not frozen with instances)
+      # This is stored at the class level so it persists across frozen config instances
+      @rotation_keys_store = nil
+
+      class << self
+        # Get the class-level rotation keys store
+        # @return [Concurrent::Map] Thread-safe map for rotation keys
+        def rotation_keys_store
+          @rotation_keys_store = Concurrent::Map.new unless defined?(@rotation_keys_store) && @rotation_keys_store
+          @rotation_keys_store
+        end
+      end
+
+      # Initialize privacy configuration
+      #
+      # @param options [Hash] Configuration options
+      # @option options [Integer] :octet_precision Number of trailing octets to mask (1 or 2, default: 1)
+      # @option options [Integer] :hash_rotation_period Seconds between key rotation (default: 86400)
+      # @option options [Boolean] :geo_enabled Enable geo-location resolution (default: true)
+      # @option options [Boolean] :disabled Disable privacy entirely (default: false)
+      # @option options [Boolean] :mask_private_ips Mask private/localhost IPs (default: false)
+      # @option options [Redis] :redis Optional Redis connection for multi-server environments
+      def initialize(options = {})
+        @octet_precision = options.fetch(:octet_precision, 1)
+        @hash_rotation_period = options.fetch(:hash_rotation_period, 86_400) # 24 hours
+        @geo_enabled = options.fetch(:geo_enabled, true)
+        @disabled = options.fetch(:disabled, false) # Enabled by default (privacy-by-default)
+        @mask_private_ips = options.fetch(:mask_private_ips, false) # Don't mask private/localhost by default
+        @redis = options[:redis] # Optional Redis connection for multi-server environments
+      end
+
+      # Check if privacy is enabled
+      #
+      # @return [Boolean] true if privacy is enabled (default)
+      def enabled?
+        !@disabled
+      end
+
+      # Check if privacy is disabled
+      #
+      # @return [Boolean] true if privacy was explicitly disabled
+      def disabled?
+        @disabled
+      end
+
+      # Disable privacy (allows access to original IPs)
+      #
+      # IMPORTANT: This should only be used when you have a specific
+      # requirement to access original IP addresses. By default, Otto
+      # provides privacy-safe masked IPs.
+      #
+      # @return [self]
+      def disable!
+        @disabled = true
+        self
+      end
+
+      # Enable privacy (default state)
+      #
+      # @return [self]
+      def enable!
+        @disabled = false
+        self
+      end
+
+      # Get the current rotation key for IP hashing
+      #
+      # Keys rotate at fixed intervals based on hash_rotation_period (default: 24 hours).
+      # Each rotation period gets a unique key, ensuring IP addresses hash differently
+      # across periods while remaining consistent within.
+      #
+      # Multi-server support:
+      # - With Redis: Uses SET NX GET EX for atomic key generation across all servers
+      # - Without Redis: Falls back to in-memory Concurrent::Hash (single-server only)
+      #
+      # Redis keys:
+      #   - rotation_key:{timestamp} - Stores the rotation key with TTL
+      #
+      # @return [String] Current rotation key for hashing
+      def rotation_key
+        if @redis
+          rotation_key_redis
+        else
+          rotation_key_memory
+        end
+      end
+
+      # Validate configuration settings
+      #
+      # @raise [ArgumentError] if configuration is invalid
+      def validate!
+        raise ArgumentError, "octet_precision must be 1 or 2, got: #{@octet_precision}" unless [1,
+                                                                                                2].include?(@octet_precision)
+
+        return unless @hash_rotation_period < 60
+
+        raise ArgumentError, 'hash_rotation_period must be at least 60 seconds'
+      end
+
+      private
+
+      # Redis-based rotation key (atomic across multiple servers)
+      #
+      # Uses SET NX GET EX to atomically:
+      # 1. Check if key exists
+      # 2. Set new key only if missing
+      # 3. Return existing or newly set key
+      # 4. Auto-expire with TTL
+      #
+      # @return [String] Current rotation key
+      # @api private
+      def rotation_key_redis
+        now_seconds = Time.now.utc.to_i
+
+        # Quantize to rotation period boundary
+        rotation_timestamp = (now_seconds / @hash_rotation_period) * @hash_rotation_period
+
+        redis_key = "rotation_key:#{rotation_timestamp}"
+        ttl = (@hash_rotation_period * 1.2).to_i # Auto-cleanup with 20% buffer
+
+        key = SecureRandom.hex(32)
+
+        # SET NX GET returns old value if key exists, nil if we set it
+        # @see https://valkey.io/commands/set/
+        existing_key = @redis.set(redis_key, key, nx: true, get: true, ex: ttl)
+
+        existing_key || key
+      end
+
+      # In-memory rotation key (single-server fallback)
+      #
+      # Uses class-level Concurrent::Hash for thread-safety within a single process.
+      # NOT atomic across multiple servers.
+      #
+      # The rotation keys are stored at the class level so they remain mutable
+      # even when config instances are frozen.
+      #
+      # @return [String] Current rotation key
+      # @api private
+      def rotation_key_memory
+        rotation_keys = self.class.rotation_keys_store
+
+        now_seconds = Time.now.utc.to_i
+
+        # Quantize to rotation period boundary (e.g., midnight UTC for 24-hour period)
+        seconds_since_epoch = now_seconds % @hash_rotation_period
+        rotation_timestamp = now_seconds - seconds_since_epoch
+
+        # Atomically get or create key for this rotation period
+        # Use compute_if_absent for thread-safe atomic operation
+        key = rotation_keys.compute_if_absent(rotation_timestamp) do
+          # Generate new key atomically
+          # IMPORTANT: Don't modify the map inside this block to avoid deadlock
+          SecureRandom.hex(32)
+        end
+
+        # Clean up old keys after atomic operation completes
+        # This runs outside compute_if_absent to avoid deadlock
+        if rotation_keys.size > 1
+          rotation_keys.each_key do |ts|
+            rotation_keys.delete(ts) if ts != rotation_timestamp
+          end
+        end
+
+        key
+      end
+    end
+  end
+end

data/lib/otto/privacy/geo_resolver.rb

@@ -0,0 +1,115 @@
+# lib/otto/privacy/geo_resolver.rb
+
+require 'ipaddr'
+
+class Otto
+  module Privacy
+    # Lightweight geo-location resolution for IP addresses
+    #
+    # Provides country-level geo-location without requiring external
+    # databases or API calls. Uses CloudFlare headers when available,
+    # with fallback to basic IP range detection.
+    #
+    # @example Resolve country from CloudFlare header
+    #   env = { 'HTTP_CF_IPCOUNTRY' => 'US' }
+    #   GeoResolver.resolve('1.2.3.4', env)
+    #   # => 'US'
+    #
+    # @example Resolve without CloudFlare
+    #   GeoResolver.resolve('9.9.9.9', {})
+    #   # => 'CH' (Quad9 in Switzerland)
+    #
+    class GeoResolver
+      # Unknown country code (ISO 3166-1 alpha-2)
+      UNKNOWN = 'XX'
+
+      # Resolve country code for an IP address
+      #
+      # Resolution priority:
+      # 1. CloudFlare CF-IPCountry header (most reliable)
+      # 2. Basic IP range detection for major countries/providers
+      # 3. Return 'XX' for unknown
+      #
+      # @param ip [String] IP address to resolve
+      # @param env [Hash] Rack environment (may contain CF headers)
+      # @return [String] ISO 3166-1 alpha-2 country code or 'XX'
+      def self.resolve(ip, env = {})
+        return UNKNOWN if ip.nil? || ip.empty?
+
+        # Priority 1: CloudFlare header (free, accurate, no database)
+        cf_country = env['HTTP_CF_IPCOUNTRY']
+        return cf_country if cf_country && valid_country_code?(cf_country)
+
+        # Priority 2: Basic range detection
+        detect_by_range(ip)
+      rescue IPAddr::InvalidAddressError
+        UNKNOWN
+      end
+
+      # Detect country by IP range (basic implementation)
+      #
+      # Detects major cloud providers and well-known IP ranges.
+      # This is intentionally limited - for comprehensive geo-location,
+      # use CloudFlare or a dedicated GeoIP database.
+      #
+      # @param ip [String] IP address
+      # @return [String] Country code or 'XX'
+      # @api private
+      def self.detect_by_range(ip)
+        addr = IPAddr.new(ip)
+
+        # Private/local addresses
+        return UNKNOWN if IPPrivacy.private_or_localhost?(ip)
+
+        # Check against known ranges
+        KNOWN_RANGES.each do |range, country|
+          return country if range.include?(addr)
+        end
+
+        UNKNOWN
+      end
+      private_class_method :detect_by_range
+
+      # Validate country code format
+      #
+      # @param code [String] Country code to validate
+      # @return [Boolean] true if valid ISO 3166-1 alpha-2 code
+      # @api private
+      def self.valid_country_code?(code)
+        code.is_a?(String) && code.length == 2 && code.match?(/^[A-Z]{2}$/)
+      end
+      private_class_method :valid_country_code?
+
+      # Known IP ranges for major providers (limited set for basic detection)
+      # For comprehensive geo-location, use CloudFlare or GeoIP database
+      KNOWN_RANGES = {
+        # Google Public DNS
+        IPAddr.new('8.8.8.0/24') => 'US',
+        IPAddr.new('8.8.4.0/24') => 'US',
+
+        # Cloudflare DNS
+        IPAddr.new('1.1.1.0/24') => 'US',
+        IPAddr.new('1.0.0.0/24') => 'US',
+
+        # AWS US-East
+        IPAddr.new('52.0.0.0/11') => 'US',
+        IPAddr.new('54.0.0.0/8') => 'US',
+
+        # AWS EU-West
+        IPAddr.new('34.240.0.0/13') => 'IE',
+        IPAddr.new('52.16.0.0/14') => 'IE',
+
+        # AWS AP-Southeast
+        IPAddr.new('13.210.0.0/15') => 'AU',
+        IPAddr.new('52.62.0.0/15') => 'AU',
+
+        # Quad9 DNS (Switzerland)
+        IPAddr.new('9.9.9.0/24') => 'CH',
+
+        # OpenDNS
+        IPAddr.new('208.67.222.0/24') => 'US',
+        IPAddr.new('208.67.220.0/24') => 'US',
+      }.freeze
+    end
+  end
+end

data/lib/otto/privacy/ip_privacy.rb

@@ -0,0 +1,175 @@
+# lib/otto/privacy/ip_privacy.rb
+
+require 'ipaddr'
+require 'digest'
+require 'openssl'
+require 'socket'
+
+class Otto
+  module Privacy
+    # IP address anonymization utilities
+    #
+    # Provides methods for masking and hashing IP addresses to enhance
+    # privacy while maintaining the ability to track sessions and analyze
+    # traffic patterns.
+    #
+    # @example Mask an IPv4 address (1 octet)
+    #   IPPrivacy.mask_ip('192.168.1.100', 1)
+    #   # => '192.168.1.0'
+    #
+    # @example Mask an IPv4 address (2 octets)
+    #   IPPrivacy.mask_ip('192.168.1.100', 2)
+    #   # => '192.168.0.0'
+    #
+    # @example Hash an IP for session correlation
+    #   key = 'daily-rotation-key'
+    #   IPPrivacy.hash_ip('192.168.1.100', key)
+    #   # => 'a3f8b2...' (consistent for same IP+key, changes when key rotates)
+    #
+    # @note All methods return UTF-8 encoded strings for Rack compatibility.
+    #   See file:docs/ipaddr-encoding-quirk.md for details on IPAddr#to_s behavior.
+    #
+    class IPPrivacy
+      # Mask an IP address by zeroing out the specified number of octets/bits
+      #
+      # For IPv4:
+      # - octet_precision=1: Masks last octet (e.g., 192.168.1.100 → 192.168.1.0)
+      # - octet_precision=2: Masks last 2 octets (e.g., 192.168.1.100 → 192.168.0.0)
+      #
+      # For IPv6:
+      # - octet_precision=1: Masks last 80 bits
+      # - octet_precision=2: Masks last 96 bits
+      #
+      # @param ip [String] IP address to mask
+      # @param octet_precision [Integer] Number of trailing octets to mask (1 or 2, default: 1)
+      # @return [String] Masked IP address (UTF-8 encoded)
+      # @raise [ArgumentError] if IP is invalid or octet_precision is not 1 or 2
+      def self.mask_ip(ip, octet_precision = 1)
+        return nil if ip.nil? || ip.empty?
+
+        raise ArgumentError, "octet_precision must be 1 or 2, got: #{octet_precision}" unless [1,
+                                                                                               2].include?(octet_precision)
+
+        begin
+          addr = IPAddr.new(ip)
+
+          if addr.ipv4?
+            mask_ipv4(addr, octet_precision)
+          else
+            mask_ipv6(addr, octet_precision)
+          end
+        rescue IPAddr::InvalidAddressError => e
+          raise ArgumentError, "Invalid IP address: #{ip} - #{e.message}"
+        end
+      end
+
+      # Hash an IP address for session correlation without storing the original
+      #
+      # Uses HMAC-SHA256 with a daily-rotating key to create a consistent
+      # identifier for the same IP within a key rotation period, but different
+      # across rotations.
+      #
+      # @param ip [String] IP address to hash
+      # @param key [String] Secret key for HMAC (should rotate daily)
+      # @return [String] Hexadecimal hash string (64 characters)
+      # @raise [ArgumentError] if IP or key is invalid
+      def self.hash_ip(ip, key)
+        return nil if ip.nil? || ip.empty?
+
+        raise ArgumentError, 'Key cannot be nil or empty' if key.nil? || key.empty?
+
+        # Normalize IP address format before hashing
+        normalized_ip = begin
+          IPAddr.new(ip).to_s
+        rescue IPAddr::InvalidAddressError => e
+          raise ArgumentError, "Invalid IP address: #{ip} - #{e.message}"
+        end
+
+        # Use HMAC-SHA256 for secure hashing with key
+        OpenSSL::HMAC.hexdigest('SHA256', key, normalized_ip)
+      end
+
+      # Check if an IP address is valid
+      #
+      # @param ip [String] IP address to validate
+      # @return [Boolean] true if valid IPv4 or IPv6 address
+      def self.valid_ip?(ip)
+        return false if ip.nil? || ip.empty?
+
+        IPAddr.new(ip)
+        true
+      rescue IPAddr::InvalidAddressError
+        false
+      end
+
+      # Check if an IP address is localhost or private (RFC 1918)
+      #
+      # Private/localhost IPs are not masked for development convenience.
+      #
+      # @param ip [String] IP address to check
+      # @return [Boolean] true if IP is localhost or private
+      def self.private_or_localhost?(ip)
+        return false if ip.nil? || ip.empty?
+
+        addr = IPAddr.new(ip)
+        addr.private? || addr.loopback?
+      rescue IPAddr::InvalidAddressError
+        false
+      end
+
+      # Mask IPv4 address
+      #
+      # @param addr [IPAddr] IPAddr object (must be IPv4)
+      # @param octet_precision [Integer] Number of trailing octets to mask (1 or 2)
+      # @return [String] Masked IPv4 address (UTF-8 encoded)
+      # @api private
+      # @see file:docs/ipaddr-encoding-quirk.md IPAddr encoding behavior
+      def self.mask_ipv4(addr, octet_precision)
+        # Convert to integer for bitwise operations
+        ip_int = addr.to_i
+
+        # Create mask: 0xFFFFFFFF with trailing zeros
+        # octet_precision=1: 0xFFFFFF00 (mask last 8 bits)
+        # octet_precision=2: 0xFFFF0000 (mask last 16 bits)
+        bits_to_mask = octet_precision * 8
+        mask = (0xFFFFFFFF >> bits_to_mask) << bits_to_mask
+
+        # Apply mask and convert back to IP
+        masked_int = ip_int & mask
+
+        # Force UTF-8 encoding: IPAddr#to_s returns US-ASCII for IPv4 but UTF-8
+        # for IPv6. We normalize to UTF-8 for Rack compatibility and to prevent
+        # Encoding::CompatibilityError. Safe because IP strings contain only
+        # ASCII characters.
+        # See also: https://github.com/ruby/ruby/blob/master/lib/ipaddr.rb
+        IPAddr.new(masked_int, Socket::AF_INET).to_s.force_encoding('UTF-8')
+      end
+      private_class_method :mask_ipv4
+
+      # Mask IPv6 address
+      #
+      # @param addr [IPAddr] IPAddr object (must be IPv6)
+      # @param octet_precision [Integer] Number of trailing octets to mask (1 or 2)
+      # @return [String] Masked IPv6 address (UTF-8 encoded)
+      # @api private
+      def self.mask_ipv6(addr, octet_precision)
+        ip_int = addr.to_i
+
+        # octet_precision=1: Mask last 80 bits (leave first 48 bits for network)
+        # octet_precision=2: Mask last 96 bits (leave first 32 bits)
+        bits_to_mask = octet_precision == 1 ? 80 : 96
+
+        # Create mask by setting all 128 bits, then clearing the trailing bits we want to mask
+        # Example: For bits_to_mask=80, this creates a mask with first 48 bits set to 1, last 80 bits set to 0
+        # (1 << 128) - 1 creates 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (all 128 bits set)
+        mask = ((1 << 128) - 1) >> bits_to_mask << bits_to_mask
+
+        masked_int = ip_int & mask
+
+        IPAddr.new(masked_int, Socket::AF_INET6).to_s.force_encoding('UTF-8')
+      end
+
+      private_class_method :mask_ipv6
+    end
+  end
+end

data/lib/otto/privacy/redacted_fingerprint.rb

@@ -0,0 +1,136 @@
+# lib/otto/privacy/redacted_fingerprint.rb
+
+require 'securerandom'
+require 'time'
+require 'uri'
+
+class Otto
+  module Privacy
+    # Immutable privacy-safe request fingerprint (aka CrappyFingerprint)
+    #
+    # Contains anonymized information about a request that can be used for
+    # logging, analytics, and session tracking without storing personally
+    # identifiable information.
+    #
+    # @example Create from Rack environment
+    #   config = Otto::Privacy::Config.new
+    #   fingerprint = RedactedFingerprint.new(env, config)
+    #   fingerprint.masked_ip   # => '192.168.1.0'
+    #   fingerprint.country     # => 'US'
+    #
+    class RedactedFingerprint
+      attr_reader :session_id, :timestamp, :masked_ip, :hashed_ip,
+                  :country, :anonymized_ua, :request_path,
+                  :request_method, :referer
+
+      # Create a new RedactedFingerprint from a Rack environment
+      #
+      # @param env [Hash] Rack environment hash
+      # @param config [Otto::Privacy::Config] Privacy configuration
+      def initialize(env, config)
+        remote_ip = env['REMOTE_ADDR']
+
+        @session_id = SecureRandom.uuid
+        @timestamp = Time.now.utc
+        @masked_ip = IPPrivacy.mask_ip(remote_ip, config.octet_precision)
+        @hashed_ip = IPPrivacy.hash_ip(remote_ip, config.rotation_key)
+        @country = config.geo_enabled ? GeoResolver.resolve(remote_ip, env) : nil
+        @anonymized_ua = anonymize_user_agent(env['HTTP_USER_AGENT'])
+        @request_path = env['PATH_INFO']
+        @request_method = env['REQUEST_METHOD']
+        @referer = anonymize_referer(env['HTTP_REFERER'])
+
+        freeze
+      end
+
+      # Convert to hash for logging or serialization
+      #
+      # @return [Hash] Hash representation of fingerprint
+      def to_h
+        {
+              session_id: @session_id,
+               timestamp: @timestamp.iso8601,
+               masked_ip: @masked_ip,
+               hashed_ip: @hashed_ip,
+                 country: @country,
+           anonymized_ua: @anonymized_ua,
+          request_method: @request_method,
+            request_path: @request_path,
+                 referer: @referer,
+        }
+      end
+
+      # Convert to JSON string
+      #
+      # @return [String] JSON representation
+      def to_json(*_args)
+        require 'json'
+        to_h.to_json
+      end
+
+      # String representation
+      #
+      # @return [String] Human-readable representation
+      def to_s
+        "#<RedactedFingerprint #{@hashed_ip[0..15]}... #{@country} #{@timestamp}>"
+      end
+
+      # Inspect representation
+      #
+      # @return [String] Detailed representation for debugging
+      def inspect
+        '#<Otto::Privacy::RedactedFingerprint ' \
+          "masked_ip=#{@masked_ip.inspect} " \
+          "hashed_ip=#{@hashed_ip[0..15]}... " \
+          "country=#{@country.inspect} " \
+          "timestamp=#{@timestamp.inspect}>"
+      end
+
+      private
+
+      # Anonymize user agent string by removing version numbers
+      #
+      # Removes specific version numbers (X.X.X pattern) to reduce
+      # fingerprinting granularity while maintaining browser/OS info.
+      #
+      # @param ua [String, nil] User agent string
+      # @return [String, nil] Anonymized user agent or nil
+      def anonymize_user_agent(ua)
+        return nil if ua.nil? || ua.empty?
+
+        # Remove version patterns (X.X.X.X, X.X.X, X.X)
+        anonymized = ua
+                     .gsub(/\d+\.\d+\.\d+\.\d+/, 'X.X.X.X')
+                     .gsub(/\d+\.\d+\.\d+/, 'X.X.X')
+                     .gsub(/\d+\.\d+/, 'X.X')
+
+        # Truncate if too long (prevent DoS via huge UA strings)
+        anonymized.length > 500 ? anonymized[0..499] : anonymized
+      end
+
+      # Anonymize referer URL
+      #
+      # Strips query parameters and keeps only the path to reduce
+      # tracking potential while maintaining useful navigation data.
+      #
+      # @param referer [String, nil] Referer header value
+      # @return [String, nil] Anonymized referer or nil
+      def anonymize_referer(referer)
+        return nil if referer.nil? || referer.empty?
+
+        begin
+          uri = URI.parse(referer)
+          # Keep scheme, host, and path only (remove query and fragment)
+          if uri.scheme && uri.host
+            "#{uri.scheme}://#{uri.host}#{uri.path}"
+          else
+            uri.path
+          end
+        rescue URI::InvalidURIError
+          # If referer is malformed, return nil
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/otto/privacy.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require_relative 'privacy/config'
+require_relative 'privacy/ip_privacy'
+require_relative 'privacy/geo_resolver'
+require_relative 'privacy/redacted_fingerprint'
+
+# Otto::Privacy module provides IP address anonymization and privacy features
+#
+# By default, Otto anonymizes IP addresses to enhance user privacy and
+# comply with data protection regulations like GDPR. Original IP addresses
+# are never stored unless privacy is explicitly disabled.
+#
+# Features:
+# - Configurable IP masking (1 or 2 octets for IPv4, 80 or 96 bits for IPv6)
+# - Daily-rotating IP hashing for session correlation without tracking
+# - Geo-location resolution (country-level only, via CloudFlare headers)
+# - User agent anonymization (removes version numbers)
+#
+# Privacy is ENABLED BY DEFAULT. To disable:
+#   otto.disable_ip_privacy!
+#
+# To configure privacy settings:
+#   otto.configure_ip_privacy(octet_precision: 2, geo: true)
+#
+class Otto
+  module Privacy
+  end
+end

data/lib/otto/response_handlers/json.rb

@@ -7,6 +7,12 @@ class Otto
     # Handler for JSON responses
     class JSONHandler < BaseHandler
       def self.handle(result, response, context = {})
+        # If a redirect has already been set, don't override with JSON
+        # This allows controllers to conditionally redirect based on Accept header
+        if response.status&.between?(300, 399) && response['Location']
+          return
+        end
+
         response['Content-Type'] = 'application/json'
 
         # Determine the data to serialize