rack-secure_headers 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +1 -0
- data/Gemfile +3 -0
- data/LICENSE +21 -0
- data/README.md +109 -0
- data/lib/rack/secure_headers/version.rb +5 -0
- data/lib/rack/secure_headers.rb +55 -0
- data/makefile +2 -0
- data/rack-secure_headers.gemspec +18 -0
- data/test/helper.rb +3 -0
- data/test/secure_headers.rb +51 -0
- metadata +96 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: e7136f261dc9b340a0d89d3c10f8737718aecb64
|
4
|
+
data.tar.gz: 0efdaba9b544e47ee5d8b774caa9e00cadf8e5c1
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 99e3f0cb9736fd9ce9cf36eff4a8a0084bacc83212d33328a0e897c1f838b0eed4e0a0882d473f0ccacd4995066cd81cebb7ad390acd38471bdf90496915f23a
|
7
|
+
data.tar.gz: 36075de1d501f7ae29c17c00f16a145975ea9a7b63b437e1f063bd2baebee20744233d5b62bb7a034d13f23f979be0a1e074a98ee9eeb2ea5f97a729e4ac2d16
|
data/.gitignore
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
Gemfile.lock
|
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2015 Francesco Rodríguez
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,109 @@
|
|
1
|
+
rack-secure_headers
|
2
|
+
-------------------
|
3
|
+
|
4
|
+
Security related HTTP headers for Rack applications.
|
5
|
+
|
6
|
+
Description
|
7
|
+
-----------
|
8
|
+
|
9
|
+
Implements OWASP's [List of useful HTTP headers][owasp].
|
10
|
+
|
11
|
+
Usage
|
12
|
+
-----
|
13
|
+
|
14
|
+
```ruby
|
15
|
+
# config.ru
|
16
|
+
require "rack/secure_headers"
|
17
|
+
|
18
|
+
use(Rack::SecureHeaders, options)
|
19
|
+
```
|
20
|
+
|
21
|
+
Options
|
22
|
+
-------
|
23
|
+
|
24
|
+
This is a list of the supported options included by default.
|
25
|
+
To disable any default, pass `nil` (e.g. `option: nil`).
|
26
|
+
|
27
|
+
| Option | Header | Default |
|
28
|
+
| ---------------------------------- | --------------------------------- | --------------------------------------------------- |
|
29
|
+
| :hsts | Strict-Transport-Security | `{ max_age: "31536000", include_subdomains: true }` |
|
30
|
+
| :x_content_type_options | X-Content-Type-Options | `"nosniff"` |
|
31
|
+
| :x_frame_options | X-Frame-Options | `"SAMEORIGIN"` |
|
32
|
+
| :x_permited_cross_domain | X-Permitted-Cross-Domain-Policies | `"none"` |
|
33
|
+
| :x_xss_protection | X-XSS-Protection | `"1; mode=block"` |
|
34
|
+
|
35
|
+
Headers
|
36
|
+
-------
|
37
|
+
|
38
|
+
This is a list of the supported HTTP headers:
|
39
|
+
|
40
|
+
* **Strict-Transport-Security:**
|
41
|
+
|
42
|
+
Ensures the browser never visits the http version of a website.
|
43
|
+
This reduces impact of bugs in web applications leaking session
|
44
|
+
data through cookies and external links and defends against
|
45
|
+
Man-in-the-middle attacks. Supported options:
|
46
|
+
|
47
|
+
* `:max_age`: The time, in seconds, that the browser should remember that
|
48
|
+
the site is only to be accessed using HTTPS. Defaults to 1 year.
|
49
|
+
* `:includeSubdomains`: If this is `true`, this rule is applied to all
|
50
|
+
of the site's subdomains as well. Defaults to `true`.
|
51
|
+
* `:preload`: A limitation of HSTS is that the initial request remains
|
52
|
+
unprotected if it uses HTTP. The same applies to the first request
|
53
|
+
after the activity period specified by `max-age`. Chrome, Firefox and
|
54
|
+
IE11+ implements a "STS preloaded list", which contains known sites
|
55
|
+
supporting HSTS. If you would like your domain to be included in the
|
56
|
+
preloaded list, set this options to `true` and submit your domain to
|
57
|
+
this [form][hsts-form].
|
58
|
+
|
59
|
+
* **X-Content-Type-Options:**
|
60
|
+
|
61
|
+
Prevents IE and Chrome from [content type sniffing][mime-sniffing].
|
62
|
+
|
63
|
+
* **X-Frame-Options (XFO):**
|
64
|
+
|
65
|
+
Provides [Clickjacking][clickjacking] protection. Supported values:
|
66
|
+
|
67
|
+
* `DENY` - Prevents any domain from framing the content.
|
68
|
+
* `SAMEORIGIN` - Only allows current site to frame the content.
|
69
|
+
* `ALLOW-FROM URI` - Allows the specified `URI` to frame the content
|
70
|
+
(only IE8+ and Firefox).
|
71
|
+
|
72
|
+
Check the [X-Frame-Options draft][x-frame-options] for more information.
|
73
|
+
|
74
|
+
* **X-Permitted-Cross-Domain-Policies:**
|
75
|
+
|
76
|
+
Restrict Adobe Flash Player's access to data. Check this [article][pcdp]
|
77
|
+
for more information.
|
78
|
+
|
79
|
+
* **X-XSS-Protection:**
|
80
|
+
|
81
|
+
Enables the [XSS][xss] protection filter built into IE, Chrome and Safari.
|
82
|
+
Supported values are `0`, which disables the protection, `1` which enables
|
83
|
+
it and `1; mode=block` (default) which tells the browser to block the
|
84
|
+
response if it detects an attack. This filter is usually enabled by default,
|
85
|
+
the use of this header is to re-enable it if it was disabled by the user.
|
86
|
+
|
87
|
+
Use <https://securityheaders.io> to asses the security related HTTP
|
88
|
+
headers used by your site.
|
89
|
+
|
90
|
+
TODO
|
91
|
+
----
|
92
|
+
|
93
|
+
- [ ] HTTP Public Key Pinning (HPKP).
|
94
|
+
- [ ] Content Security Policy (CSP).
|
95
|
+
|
96
|
+
Installation
|
97
|
+
------------
|
98
|
+
|
99
|
+
```
|
100
|
+
$ gem install rack-secure_headers
|
101
|
+
```
|
102
|
+
|
103
|
+
[clickjacking]: https://www.owasp.org/index.php/Clickjacking
|
104
|
+
[hsts-form]: https://hstspreload.appspot.com/
|
105
|
+
[mime-sniffing]: https://msdn.microsoft.com/library/gg622941(v=vs.85).aspx
|
106
|
+
[owasp]: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
|
107
|
+
[pcdp]: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
|
108
|
+
[xss]: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
|
109
|
+
[x-frame-options]: https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02
|
@@ -0,0 +1,55 @@
|
|
1
|
+
require "rack"
|
2
|
+
|
3
|
+
module Rack
|
4
|
+
class SecureHeaders
|
5
|
+
DEFAULTS = {
|
6
|
+
hsts: { max_age: "31536000", include_subdomains: true },
|
7
|
+
x_content_type_options: "nosniff",
|
8
|
+
x_frame_options: "SAMEORIGIN",
|
9
|
+
x_permitted_cross_domain_policies: "none",
|
10
|
+
x_xss_protection: "1; mode=block"
|
11
|
+
}
|
12
|
+
|
13
|
+
DEFAULT_HEADERS = {
|
14
|
+
x_content_type_options: "X-Content-Type-Options",
|
15
|
+
x_frame_options: "X-Frame-Options",
|
16
|
+
x_permitted_cross_domain_policies: "X-Permitted-Cross-Domain-Policies",
|
17
|
+
x_xss_protection: "X-XSS-Protection"
|
18
|
+
}
|
19
|
+
|
20
|
+
HSTS_HEADER = "Strict-Transport-Security".freeze
|
21
|
+
|
22
|
+
def initialize(app, options = {})
|
23
|
+
@app = app
|
24
|
+
@options = DEFAULTS.merge(options)
|
25
|
+
end
|
26
|
+
|
27
|
+
def call(env)
|
28
|
+
status, headers, body = @app.call(env)
|
29
|
+
|
30
|
+
DEFAULT_HEADERS.each do |key, header|
|
31
|
+
headers[header] = @options[key] if @options[key]
|
32
|
+
end
|
33
|
+
|
34
|
+
if @options[:hsts]
|
35
|
+
headers[HSTS_HEADER] = Utils.hsts(@options[:hsts])
|
36
|
+
end
|
37
|
+
|
38
|
+
return [status, headers, body]
|
39
|
+
end
|
40
|
+
|
41
|
+
module Utils
|
42
|
+
HSTS_MAX_AGE = "max-age=%s".freeze
|
43
|
+
HSTS_INCLUDE_SUBDOMAINS = "; includeSubdomains".freeze
|
44
|
+
HSTS_PRELOAD = "; preload".freeze
|
45
|
+
|
46
|
+
def self.hsts(opts)
|
47
|
+
header = sprintf(HSTS_MAX_AGE, opts.fetch(:max_age))
|
48
|
+
header << HSTS_INCLUDE_SUBDOMAINS if opts[:include_subdomains]
|
49
|
+
header << HSTS_PRELOAD if opts[:preload]
|
50
|
+
|
51
|
+
return header
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
data/makefile
ADDED
@@ -0,0 +1,18 @@
|
|
1
|
+
require_relative "lib/rack/secure_headers/version"
|
2
|
+
|
3
|
+
Gem::Specification.new do |s|
|
4
|
+
s.name = "rack-secure_headers"
|
5
|
+
s.version = Rack::SecureHeaders::VERSION
|
6
|
+
s.summary = "Security related HTTP headers for Rack applications"
|
7
|
+
s.description = s.summary
|
8
|
+
s.authors = ["Francesco Rodríguez"]
|
9
|
+
s.email = ["frodsan@protonmail.ch"]
|
10
|
+
s.homepage = "https://github.com/harmoni/rack-secure_headers"
|
11
|
+
s.license = "MIT"
|
12
|
+
|
13
|
+
s.files = `git ls-files`.split("\n")
|
14
|
+
|
15
|
+
s.add_dependency "rack", "~> 1.6.4"
|
16
|
+
s.add_development_dependency "bundler", "~> 1.10"
|
17
|
+
s.add_development_dependency "cutest", "~> 1.2"
|
18
|
+
end
|
data/test/helper.rb
ADDED
@@ -0,0 +1,51 @@
|
|
1
|
+
require_relative "helper"
|
2
|
+
|
3
|
+
class App
|
4
|
+
def call(env)
|
5
|
+
return [200, {}, [""]]
|
6
|
+
end
|
7
|
+
end
|
8
|
+
|
9
|
+
setup do
|
10
|
+
App.new
|
11
|
+
end
|
12
|
+
|
13
|
+
test "defaults" do |app|
|
14
|
+
middleware = Rack::SecureHeaders.new(app)
|
15
|
+
headers = middleware.call({})[1]
|
16
|
+
|
17
|
+
expected = {
|
18
|
+
"X-Content-Type-Options" => "nosniff",
|
19
|
+
"X-Frame-Options" => "SAMEORIGIN",
|
20
|
+
"X-Permitted-Cross-Domain-Policies" => "none",
|
21
|
+
"X-XSS-Protection" => "1; mode=block",
|
22
|
+
"Strict-Transport-Security" => "max-age=31536000; includeSubdomains",
|
23
|
+
}
|
24
|
+
|
25
|
+
assert_equal expected, headers
|
26
|
+
end
|
27
|
+
|
28
|
+
test "nil" do |app|
|
29
|
+
headers = Rack::SecureHeaders::DEFAULTS.keys
|
30
|
+
options = headers.map { |h| [h, nil] }.to_h
|
31
|
+
|
32
|
+
middleware = Rack::SecureHeaders.new(app, options)
|
33
|
+
headers = middleware.call({})[1]
|
34
|
+
|
35
|
+
assert_equal Hash.new, headers
|
36
|
+
end
|
37
|
+
|
38
|
+
test "hsts options" do |app|
|
39
|
+
middleware = Rack::SecureHeaders.new(app, hsts: { max_age: 1 })
|
40
|
+
headers = middleware.call({})[1]
|
41
|
+
|
42
|
+
assert_equal "max-age=1", headers["Strict-Transport-Security"]
|
43
|
+
|
44
|
+
options = { max_age: 1, include_subdomains: true, preload: true }
|
45
|
+
middleware = Rack::SecureHeaders.new(app, hsts: options)
|
46
|
+
headers = middleware.call({})[1]
|
47
|
+
|
48
|
+
expected = "max-age=1; includeSubdomains; preload"
|
49
|
+
|
50
|
+
assert_equal expected, headers["Strict-Transport-Security"]
|
51
|
+
end
|
metadata
ADDED
@@ -0,0 +1,96 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: rack-secure_headers
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.0.1
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Francesco Rodríguez
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2015-09-21 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: rack
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - "~>"
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: 1.6.4
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - "~>"
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: 1.6.4
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: bundler
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - "~>"
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '1.10'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - "~>"
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '1.10'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: cutest
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '1.2'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '1.2'
|
55
|
+
description: Security related HTTP headers for Rack applications
|
56
|
+
email:
|
57
|
+
- frodsan@protonmail.ch
|
58
|
+
executables: []
|
59
|
+
extensions: []
|
60
|
+
extra_rdoc_files: []
|
61
|
+
files:
|
62
|
+
- ".gitignore"
|
63
|
+
- Gemfile
|
64
|
+
- LICENSE
|
65
|
+
- README.md
|
66
|
+
- lib/rack/secure_headers.rb
|
67
|
+
- lib/rack/secure_headers/version.rb
|
68
|
+
- makefile
|
69
|
+
- rack-secure_headers.gemspec
|
70
|
+
- test/helper.rb
|
71
|
+
- test/secure_headers.rb
|
72
|
+
homepage: https://github.com/harmoni/rack-secure_headers
|
73
|
+
licenses:
|
74
|
+
- MIT
|
75
|
+
metadata: {}
|
76
|
+
post_install_message:
|
77
|
+
rdoc_options: []
|
78
|
+
require_paths:
|
79
|
+
- lib
|
80
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
81
|
+
requirements:
|
82
|
+
- - ">="
|
83
|
+
- !ruby/object:Gem::Version
|
84
|
+
version: '0'
|
85
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - ">="
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: '0'
|
90
|
+
requirements: []
|
91
|
+
rubyforge_project:
|
92
|
+
rubygems_version: 2.4.8
|
93
|
+
signing_key:
|
94
|
+
specification_version: 4
|
95
|
+
summary: Security related HTTP headers for Rack applications
|
96
|
+
test_files: []
|