HTTP Security

• Source
• Issues
• Documentation

Security Headers is a parser for security-relevant HTTP headers. Each header value is parsed and validated according to the syntax specified in its relevant RFC.

Security Headers relies on parslet for constructing its parsing grammar.

Currently parsed security headers are:

• Cache-Control
• Content-Security-Policy
• Content-Security-Policy-Report-Only
• Expires
• Pragma
• Public-Key-Pins
• Public-Key-Pins-Report-Only
• Set-Cookie
• Strict-Transport-Security
• X-Content-Type-Options
• X-Frame-Options
• X-Permitted-Cross-Domain-Policies
• X-XSS-Protection

Example

require 'net/https'
response = Net::HTTP.get_response(URI('https://twitter.com/'))

require 'http/security'
headers = HTTP::Security::Response.parse(response)

headers.cache_control
# => #<HTTP::Security::Headers::CacheControl:0x00000002f65778 @private=nil, @max_age=nil, @no_cache=true>

headers.content_security_policy
# => #<HTTP::Security::Headers::ContentSecurityPolicy:0x00000002d8e238 @default_src="https:"@12, @script_src="https://github.com/trailofbits/http-security/raw/master/'unsafe-inline' 'unsafe-eval' https:"@172, @object_src="https:"@153, @style_src="https://github.com/trailofbits/http-security/raw/master/'unsafe-inline' https:"@220, @img_src="https: blob: data:"@98, @media_src="https: blob:"@128, @frame_src="https: twitter:"@73, @font_src="https: data:"@49, @connect_src="https:"@32, @report_uri=[#<URI::HTTPS:0x00000002d94250 URL:https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;>], @sandbox=nil>

headers.expires
# => #<HTTP::Security::HTTPDate: Tue, 31 Mar 1981 00:00:00 GMT ((2444695j,0s,0n),+0s,2299161j)>

headers.pragma
# => #<HTTP::Security::Headers::Pragma:0x00000002ccc5e8 @no_cache=true>

headers.strict_transport_security
# => #<HTTP::Security::Headers::StrictTransportSecurity:0x00000002c928c0 @max_age=631138519, @include_sub_domains=nil>

headers.x_content_type_options
# => #<HTTP::Security::Headers::XContentTypeOptions:0x00000002a46e40 @no_sniff=true>

headers.x_frame_options
# => #<HTTP::Security::Headers::XFrameOptions:0x000000028163c8 @deny=nil, @same_origin=true, @allow_from=nil, @allow_all=nil>

headers.x_permitted_cross_domain_policies
# => nil

headers.x_xss_protection
# => #<HTTP::Security::Headers::XXSSProtection:0x0000000297a408 @enabled=true, @mode="block"@8, @report=nil>

Requirements

• ruby >= 1.9.1
• parslet ~> 1.5

Install

$ gem install http-security

Testing

To run the RSpec tests:

$ rake spec

To test the parser against the Alexa Top 100:

$ rake spec:gauntlet

License

See the {file:LICENSE.txt} file.