Sign upLogin

trailofbits/securityheaders

View on GitHub
Star
README.md

Summary

Maintainability
Test Coverage
# HTTP Security

* [Source](https://github.com/trailofbits/http-security)
* [Issues](https://github.com/trailofbits/http-security/issues)
* [Documentation](https://rubydoc.info/gems/http-security/frames)

[![Code Climate](https://codeclimate.com/github/trailofbits/http-security.png)](https://codeclimate.com/github/trailofbits/http-security) [![Build Status](https://travis-ci.org/trailofbits/http-security.svg)](https://travis-ci.org/trailofbits/http-security) [![Test Coverage](https://codeclimate.com/github/trailofbits/http-security/badges/coverage.svg)](https://codeclimate.com/github/trailofbits/http-security)

Security Headers is a parser for security-relevant HTTP headers. Each header
value is parsed and validated according to the syntax specified in its relevant 
RFC.

Security Headers relies on [parslet] for constructing its parsing grammar.

Currently parsed security headers are:

* `Cache-Control`
* `Content-Security-Policy`
* `Content-Security-Policy-Report-Only`
* `Expires`
* `Pragma`
* `Public-Key-Pins`
* `Public-Key-Pins-Report-Only`
* `Set-Cookie`
* `Strict-Transport-Security`
* `X-Content-Type-Options`
* `X-Frame-Options`
* `X-Permitted-Cross-Domain-Policies`
* `X-XSS-Protection`

## Example

    require 'net/https'
    response = Net::HTTP.get_response(URI('https://twitter.com/'))

    require 'http/security'
    headers = HTTP::Security::Response.parse(response)

    headers.cache_control
    # => #<HTTP::Security::Headers::CacheControl:0x00000002f65778 @private=nil, @max_age=nil, @no_cache=true>

    headers.content_security_policy
    # => #<HTTP::Security::Headers::ContentSecurityPolicy:0x00000002d8e238 @default_src="https:"@12, @script_src="'unsafe-inline' 'unsafe-eval' https:"@172, @object_src="https:"@153, @style_src="'unsafe-inline' https:"@220, @img_src="https: blob: data:"@98, @media_src="https: blob:"@128, @frame_src="https: twitter:"@73, @font_src="https: data:"@49, @connect_src="https:"@32, @report_uri=[#<URI::HTTPS:0x00000002d94250 URL:https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;>], @sandbox=nil>

    headers.expires
    # => #<HTTP::Security::HTTPDate: Tue, 31 Mar 1981 00:00:00 GMT ((2444695j,0s,0n),+0s,2299161j)>

    headers.pragma
    # => #<HTTP::Security::Headers::Pragma:0x00000002ccc5e8 @no_cache=true>

    headers.strict_transport_security
    # => #<HTTP::Security::Headers::StrictTransportSecurity:0x00000002c928c0 @max_age=631138519, @include_sub_domains=nil>

    headers.x_content_type_options
    # => #<HTTP::Security::Headers::XContentTypeOptions:0x00000002a46e40 @no_sniff=true>

    headers.x_frame_options
    # => #<HTTP::Security::Headers::XFrameOptions:0x000000028163c8 @deny=nil, @same_origin=true, @allow_from=nil, @allow_all=nil>

    headers.x_permitted_cross_domain_policies
    # => nil

    headers.x_xss_protection
    # => #<HTTP::Security::Headers::XXSSProtection:0x0000000297a408 @enabled=true, @mode="block"@8, @report=nil>

## Requirements

* [ruby] >= 1.9.1
* [parslet] ~> 1.5

## Install

    $ gem install http-security

## Testing

To run the RSpec tests:

    $ rake spec

To test the parser against the Alexa Top 100:

    $ rake spec:gauntlet

## License

See the {file:LICENSE.txt} file.

[ruby]: https://www.ruby-lang.org/
[parslet]: http://kschiess.github.io/parslet/