GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → trailofbits → http-security

trailofbits / http-security

Licence: MIT license
Parse HTTP Security Headers

Programming Languages

ruby
36898 projects - #4 most used programming language

Labels

httphttp-security

Projects that are alternatives of or similar to http-security

DotnetHttpSecurityCheck
A dotnet tool to do a http request/response security assessment
Stars: ✭ 36 (+0%)
Mutual labels:  http-security
SpringSecurityInEasySteps
Learn Spring Security step by step
Stars: ✭ 13 (-63.89%)
Mutual labels:  http-security

HTTP Security

Code Climate Build Status Test Coverage

Security Headers is a parser for security-relevant HTTP headers. Each header value is parsed and validated according to the syntax specified in its relevant RFC.

Security Headers relies on parslet for constructing its parsing grammar.

Currently parsed security headers are:

  • Cache-Control
  • Content-Security-Policy
  • Content-Security-Policy-Report-Only
  • Expires
  • Pragma
  • Public-Key-Pins
  • Public-Key-Pins-Report-Only
  • Set-Cookie
  • Strict-Transport-Security
  • X-Content-Type-Options
  • X-Frame-Options
  • X-Permitted-Cross-Domain-Policies
  • X-XSS-Protection

Example

require 'net/https'
response = Net::HTTP.get_response(URI('https://twitter.com/'))

require 'http/security'
headers = HTTP::Security::Response.parse(response)

headers.cache_control
# => #<HTTP::Security::Headers::CacheControl:0x00000002f65778 @private=nil, @max_age=nil, @no_cache=true>

headers.content_security_policy
# => #<HTTP::Security::Headers::ContentSecurityPolicy:0x00000002d8e238 @default_src="https:"@12, @script_src="'unsafe-inline' 'unsafe-eval' https:"@172, @object_src="https:"@153, @style_src="'unsafe-inline' https:"@220, @img_src="https: blob: data:"@98, @media_src="https: blob:"@128, @frame_src="https: twitter:"@73, @font_src="https: data:"@49, @connect_src="https:"@32, @report_uri=[#<URI::HTTPS:0x00000002d94250 URL:https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;>], @sandbox=nil>

headers.expires
# => #<HTTP::Security::HTTPDate: Tue, 31 Mar 1981 00:00:00 GMT ((2444695j,0s,0n),+0s,2299161j)>

headers.pragma
# => #<HTTP::Security::Headers::Pragma:0x00000002ccc5e8 @no_cache=true>

headers.strict_transport_security
# => #<HTTP::Security::Headers::StrictTransportSecurity:0x00000002c928c0 @max_age=631138519, @include_sub_domains=nil>

headers.x_content_type_options
# => #<HTTP::Security::Headers::XContentTypeOptions:0x00000002a46e40 @no_sniff=true>

headers.x_frame_options
# => #<HTTP::Security::Headers::XFrameOptions:0x000000028163c8 @deny=nil, @same_origin=true, @allow_from=nil, @allow_all=nil>

headers.x_permitted_cross_domain_policies
# => nil

headers.x_xss_protection
# => #<HTTP::Security::Headers::XXSSProtection:0x0000000297a408 @enabled=true, @mode="block"@8, @report=nil>

Requirements

Install

$ gem install http-security

Testing

To run the RSpec tests:

$ rake spec

To test the parser against the Alexa Top 100:

$ rake spec:gauntlet

License

See the {file:LICENSE.txt} file.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].