Initial commit.

.gitignore

@@ -0,0 +1 @@
+Gemfile.lock

Gemfile

@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gemspec

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Francesco Rodríguez
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,109 @@
+rack-secure_headers
+-------------------
+
+Security related HTTP headers for Rack applications.
+
+Description
+-----------
+
+Implements OWASP's [List of useful HTTP headers][owasp].
+
+Usage
+-----
+
+```ruby
+# config.ru
+require "rack/secure_headers"
+
+use(Rack::SecureHeaders, options)
+```
+
+Options
+-------
+
+This is a list of the supported options included by default.
+To disable any default, pass `nil` (e.g. `option: nil`).
+
+| Option                             | Header                            | Default                                             |
+| ---------------------------------- | --------------------------------- | --------------------------------------------------- |
+| :hsts                              | Strict-Transport-Security         | `{ max_age: "31536000", include_subdomains: true }` |
+| :x_content_type_options            | X-Content-Type-Options            | `"nosniff"`                                         |
+| :x_frame_options                   | X-Frame-Options                   | `"SAMEORIGIN"`                                      |
+| :x_permited_cross_domain           | X-Permitted-Cross-Domain-Policies | `"none"`                                            |
+| :x_xss_protection                  | X-XSS-Protection                  | `"1; mode=block"`                                   |
+
+Headers
+-------
+
+This is a list of the supported HTTP headers:
+
+* **Strict-Transport-Security:**
+
+  Ensures the browser never visits the http version of a website.
+  This reduces impact of bugs in web applications leaking session
+  data through cookies and external links and defends against
+  Man-in-the-middle attacks. Supported options:
+
+  * `:max_age`: The time, in seconds, that the browser should remember that
+    the site is only to be accessed using HTTPS. Defaults to 1 year.
+  * `:includeSubdomains`: If this is `true`, this rule is applied to all
+    of the site's subdomains as well. Defaults to `true`.
+  * `:preload`: A limitation of HSTS is that the initial request remains
+    unprotected if it uses HTTP. The same applies to the first request
+    after the activity period specified by `max-age`. Chrome, Firefox and
+    IE11+ implements a "STS preloaded list", which contains known sites
+    supporting HSTS. If you would like your domain to be included in the
+    preloaded list, set this options to `true` and submit your domain to
+    this [form][hsts-form].
+
+* **X-Content-Type-Options:**
+
+  Prevents IE and Chrome from [content type sniffing][mime-sniffing].
+
+* **X-Frame-Options (XFO):**
+
+  Provides [Clickjacking][clickjacking] protection. Supported values:
+
+  * `DENY` - Prevents any domain from framing the content.
+  * `SAMEORIGIN` - Only allows current site to frame the content.
+  * `ALLOW-FROM URI` - Allows the specified `URI` to frame the content
+    (only IE8+ and Firefox).
+
+  Check the [X-Frame-Options draft][x-frame-options] for more information.
+
+* **X-Permitted-Cross-Domain-Policies:**
+
+  Restrict Adobe Flash Player's access to data. Check this [article][pcdp]
+  for more information.
+
+* **X-XSS-Protection:**
+
+  Enables the [XSS][xss] protection filter built into IE, Chrome and Safari.
+  Supported values are `0`, which disables the protection, `1` which enables
+  it and `1; mode=block` (default) which tells the browser to block the
+  response if it detects an attack. This filter is usually enabled by default,
+  the use of this header is to re-enable it if it was disabled by the user.
+
+Use <https://securityheaders.io> to asses the security related HTTP
+headers used by your site.
+
+TODO
+----
+
+- [ ] HTTP Public Key Pinning (HPKP).
+- [ ] Content Security Policy (CSP).
+
+Installation
+------------
+
+```
+$ gem install rack-secure_headers
+```
+
+[clickjacking]: https://www.owasp.org/index.php/Clickjacking
+[hsts-form]: https://hstspreload.appspot.com/
+[mime-sniffing]: https://msdn.microsoft.com/library/gg622941(v=vs.85).aspx
+[owasp]: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+[pcdp]: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
+[xss]: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
+[x-frame-options]: https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02

lib/rack/secure_headers.rb

@@ -0,0 +1,55 @@
+require "rack"
+
+module Rack
+  class SecureHeaders
+    DEFAULTS = {
+      hsts: { max_age: "31536000", include_subdomains: true },
+      x_content_type_options: "nosniff",
+      x_frame_options: "SAMEORIGIN",
+      x_permitted_cross_domain_policies: "none",
+      x_xss_protection: "1; mode=block"
+    }
+
+    DEFAULT_HEADERS = {
+      x_content_type_options: "X-Content-Type-Options",
+      x_frame_options: "X-Frame-Options",
+      x_permitted_cross_domain_policies: "X-Permitted-Cross-Domain-Policies",
+      x_xss_protection: "X-XSS-Protection"
+    }
+
+    HSTS_HEADER = "Strict-Transport-Security".freeze
+
+    def initialize(app, options = {})
+      @app = app
+      @options = DEFAULTS.merge(options)
+    end
+
+    def call(env)
+      status, headers, body = @app.call(env)
+
+      DEFAULT_HEADERS.each do |key, header|
+        headers[header] = @options[key] if @options[key]
+      end
+
+      if @options[:hsts]
+        headers[HSTS_HEADER] = Utils.hsts(@options[:hsts])
+      end
+
+      return [status, headers, body]
+    end
+
+    module Utils
+      HSTS_MAX_AGE = "max-age=%s".freeze
+      HSTS_INCLUDE_SUBDOMAINS = "; includeSubdomains".freeze
+      HSTS_PRELOAD = "; preload".freeze
+
+      def self.hsts(opts)
+        header = sprintf(HSTS_MAX_AGE, opts.fetch(:max_age))
+        header << HSTS_INCLUDE_SUBDOMAINS if opts[:include_subdomains]
+        header << HSTS_PRELOAD if opts[:preload]
+
+        return header
+      end
+    end
+  end
+end

lib/rack/secure_headers/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  class SecureHeaders
+    VERSION = "0.0.1"
+  end
+end

makefile

@@ -0,0 +1,2 @@
+default:
+	cutest -r ./test/helper.rb ./test/*.rb

rack-secure_headers.gemspec

@@ -0,0 +1,18 @@
+require_relative "lib/rack/secure_headers/version"
+
+Gem::Specification.new do |s|
+  s.name        = "rack-secure_headers"
+  s.version     = Rack::SecureHeaders::VERSION
+  s.summary     = "Security related HTTP headers for Rack applications"
+  s.description = s.summary
+  s.authors     = ["Francesco Rodríguez"]
+  s.email       = ["frodsan@protonmail.ch"]
+  s.homepage    = "https://github.com/harmoni/rack-secure_headers"
+  s.license     = "MIT"
+
+  s.files = `git ls-files`.split("\n")
+
+  s.add_dependency "rack", "~> 1.6.4"
+  s.add_development_dependency "bundler", "~> 1.10"
+  s.add_development_dependency "cutest", "~> 1.2"
+end

test/helper.rb

@@ -0,0 +1,3 @@
+require "bundler/setup"
+require "cutest"
+require_relative "../lib/rack/secure_headers"

test/secure_headers.rb

@@ -0,0 +1,51 @@
+require_relative "helper"
+
+class App
+  def call(env)
+    return [200, {}, [""]]
+  end
+end
+
+setup do
+  App.new
+end
+
+test "defaults" do |app|
+  middleware = Rack::SecureHeaders.new(app)
+  headers = middleware.call({})[1]
+
+  expected = {
+    "X-Content-Type-Options" => "nosniff",
+    "X-Frame-Options" => "SAMEORIGIN",
+    "X-Permitted-Cross-Domain-Policies" => "none",
+    "X-XSS-Protection" => "1; mode=block",
+    "Strict-Transport-Security" => "max-age=31536000; includeSubdomains",
+  }
+
+  assert_equal expected, headers
+end
+
+test "nil" do |app|
+  headers = Rack::SecureHeaders::DEFAULTS.keys
+  options = headers.map { |h| [h, nil] }.to_h
+
+  middleware = Rack::SecureHeaders.new(app, options)
+  headers = middleware.call({})[1]
+
+  assert_equal Hash.new, headers
+end
+
+test "hsts options" do |app|
+  middleware = Rack::SecureHeaders.new(app, hsts: { max_age: 1 })
+  headers = middleware.call({})[1]
+
+  assert_equal "max-age=1", headers["Strict-Transport-Security"]
+
+  options = { max_age: 1, include_subdomains: true, preload: true }
+  middleware = Rack::SecureHeaders.new(app, hsts: options)
+  headers = middleware.call({})[1]
+
+  expected = "max-age=1; includeSubdomains; preload"
+
+  assert_equal expected, headers["Strict-Transport-Security"]
+end