thruster 0.1.16-x86_64-linux → 0.1.17-x86_64-linux

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +14 -1
  3. data/exe/x86_64-linux/thrust +0 -0
  4. data/lib/thruster/version.rb +1 -1
  5. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 40f3e3ace80b20c1ffd8da7feee879b9f29e88ff8c15591910aca929dd8fff83
4
- data.tar.gz: 2b3b74d4906ca22d985366eeb0150791986fbcfbb746083c9a636ddb9cad32db
3
+ metadata.gz: cf929deb0e30661b67deb563d3ee428f99c01937714786af65ee04bd80ed8915
4
+ data.tar.gz: 6b87b3631374eef4f88ae8013b227b3935897e4844d6ba89c7e756a2e4c4fe6b
5
5
  SHA512:
6
- metadata.gz: 7c6ee656bbdd80fe5ab9c030292fb2352c0f83796d3e5e06a2601f1a6fd3020073e7b6bf83817e4c87827bd3e4d5e80482c68d52abb42562553e89e3cf9802db
7
- data.tar.gz: 732d8533603a23f2547b21db47d959d926cdcb92d55b9024ecd1fc779521b5b47122285f4c6ea0a2236eba3a94f2aa4fde75519d0ecddc05fb39fe9532c08364
6
+ metadata.gz: 63b053e3c464ac5aa0e030cd585c18c2b764b78f2cea0556e98a2cedb0313007c09114ee665587816e9b23a86de066f9de3b94730afbccb1dba6873d0ff50b13
7
+ data.tar.gz: 5d43f85e2c91717b54b74d8beb369a9b40ee344e6368b1cd2a4fce146717ca7e73c7d52fb89544e9670263dec3cebee3ebc20a306ceb8af2b0a3b17a1bbd706d
data/README.md CHANGED
@@ -78,7 +78,9 @@ environment variables that you can set.
78
78
  | `TARGET_PORT` | The port that your Puma server should run on. Thruster will set `PORT` to this value when starting your server. | 3000 |
79
79
  | `CACHE_SIZE` | The size of the HTTP cache in bytes. | 64MB |
80
80
  | `MAX_CACHE_ITEM_SIZE` | The maximum size of a single item in the HTTP cache in bytes. | 1MB |
81
- | `GZIP_COMPRESSION_ENABLED` | Whether to enable gzip compression for static assets. Set to `0` or `false` to disable. | Enabled |
81
+ | `GZIP_COMPRESSION_ENABLED` | Whether to enable gzip compression for responses. Set to `0` or `false` to disable. | Enabled |
82
+ | `GZIP_COMPRESSION_DISABLE_ON_AUTH` | If set to `true`, disable gzip compression for authenticated requests with `Cookie`, `Authorization`, or `X-Csrf-Token` headers. | `false` |
83
+ | `GZIP_COMPRESSION_JITTER` | The amount of random jitter (in bytes) to add to the compressed response size to mitigate BREACH attacks. Set to `0` to disable. | 32 |
82
84
  | `X_SENDFILE_ENABLED` | Whether to enable X-Sendfile support. Set to `0` or `false` to disable. | Enabled |
83
85
  | `MAX_REQUEST_BODY` | The maximum size of a request body in bytes. Requests larger than this size will be refused; `0` means no maximum size is enforced. | `0` |
84
86
  | `STORAGE_PATH` | The path to store Thruster's internal state. Provisioned TLS certificates will be stored here, so that they will not need to be requested every time your application is started. | `./storage/thruster` |
@@ -100,3 +102,14 @@ To prevent naming clashes with your application's own environment variables,
100
102
  Thruster's environment variables can optionally be prefixed with `THRUSTER_`.
101
103
  For example, `TLS_DOMAIN` can also be written as `THRUSTER_TLS_DOMAIN`. Whenever
102
104
  a prefixed variable is set, it will take precedence over the unprefixed version.
105
+
106
+ ## Security
107
+
108
+ ### BREACH Mitigation
109
+
110
+ Thruster includes built-in mitigation for the [BREACH attack](https://breachattack.com/), which allows attackers to extract secrets from compressed encrypted traffic.
111
+
112
+ 1. **Random Jitter (Enabled by Default)**: Thruster adds a random amount of "jitter" (padding) to the size of compressed responses. This makes it significantly harder for attackers to infer the content based on the compressed size. The default jitter is 32 bytes, controlled by `GZIP_COMPRESSION_JITTER`.
113
+ 2. **Compression Guard (Optional)**: For higher security, you can disable compression entirely for authenticated requests (requests containing `Cookie`, `Authorization`, or `X-Csrf-Token` headers) by setting `GZIP_COMPRESSION_DISABLE_ON_AUTH=true`. This eliminates the side-channel entirely for sensitive traffic but may increase bandwidth usage.
114
+
115
+ By default, Thruster prioritizes performance while providing baseline protection via jitter. Operators with strict security requirements should consider enabling the Compression Guard.
data/exe/x86_64-linux/thrust CHANGED
Binary file
data/lib/thruster/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Thruster
2
- VERSION = "0.1.16"
2
+ VERSION = "0.1.17"
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: thruster
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.16
4
+ version: 0.1.17
5
5
  platform: x86_64-linux
6
6
  authors:
7
7
  - Kevin McConnell