Home

Awesome

http-protection

Build Status GitHub license

This library protects against typical web attacks. It was inspired in rack-protection Ruby gem.

Installation

Add this to your application's shard.yml:

dependencies:
  http-protection:
    github: rogeriozambon/http-protection

Usage

require "http/server"
require "http-protection"

server = HTTP::Server.new([
  HTTP::Protection::Deflect.new,
  HTTP::Protection::FrameOptions.new,
  HTTP::Protection::IpSpoofing.new,
  HTTP::Protection::Origin.new,
  HTTP::Protection::PathTraversal.new,
  HTTP::Protection::RemoteReferer.new,
  HTTP::Protection::StrictTransport.new,
  HTTP::Protection::XSSHeader.new
])

server.bind_tcp "0.0.0.0", 8080
server.listen

Deflect middleware

It protects against Denial-of-service attacks. You can define a several options for this middleware.

OptionDescriptionDefault valueType
intervalDuration in seconds until the request counter is reset.5Int32
durationDuration in seconds that a remote address will be blocked.900Int32
thresholdNumber of requests allowed.100Int32
blacklistArray of remote addresses immediately considered malicious.[]Array(String)
whitelistArray of remote addresses which bypass Deflect.[]Array(String)

Example:

HTTP::Protection::Deflect.new(
  interval: 5,
  duration: 5,
  threshold: 10,
  blacklist: ["111.111.111.111"],
  whitelist: ["222.222.222.222"]
)

FrameOptions middleware

It protects against clickjacking, setting header to tell the browser avoid embedding the page in a frame. You can define one option for this middleware.

OptionDescriptionDefault valueType
optionDefines who should be allowed to embed the page in a frame. Use "DENY" or "SAMEORIGIN".SAMEORIGINString

Example:

HTTP::Protection::FrameOptions.new(option: "SAMEORIGIN")

IpSpoofing middleware

It detects IP spoofing attacks.

Example:

HTTP::Protection::IpSpoofing.new

Origin middleware

It protects against unsafe HTTP requests when value of Origin HTTP request header doesn't match default or whitelisted URIs. You can define the whitelist of URIs.

OptionDescriptionDefault valueType
whitelistArray of allowed URIs[]Array(String)

Example:

HTTP::Protection::Origin.new(whitelist: ["http://friend.com"])

PathTraversal middleware

It protects against unauthorized access to file system attacks, unescapes '/' and '.' from PATH_INFO.

Example:

HTTP::Protection::PathTraversal.new

RemoteReferer middleware

It doesn't accept unsafe HTTP requests if the Referer header is set to a different host. You can define the HTTP methods that are allowed.

OptionDescriptionDefault valueType
methodsDefines which HTTP method should be used.GET, HEAD, OPTIONS, TRACEArray(String)

Example:

HTTP::Protection::RemoteReferer.new(methods: ["GET"])

StrictTransport middleware

It protects against protocol downgrade attacks and cookie hijacking. You can define some options for this middleware.

OptionDescriptionDefault valueType
max_ageHow long future requests to the domain should go over HTTPS (in seconds).31536000Int32
include_subdomainsIf all present and future subdomains will be HTTPS.falseBool
preloadAllow this domain to be included in browsers HSTS preload list.falseBool

Example:

HTTP::Protection::StrictTransport.new(
  max_age: 31536000,
  include_subdomains: false,
  preload: false
)

XSSHeader middleware

It sets X-XSS-Protection header to tell the browser to block attacks. XSS vulnerabilities enable an attacker to control the relationship between a user and a web site or web application that they trust.

You can define some options for this middleware.

OptionDescriptionDefault valueType
xss_modeHow the browser should prevent the attack.blockString
nosniffBlocks a request if the requested type is "style" or "script".trueBool

Example:

HTTP::Protection::XSSHeader.new(
  xss_mode: "block"
  nosniff: true
)

Custom logger

It's possible to add a custom logger to replace the default behavior. You can add a logger that outputs to a file, for example.

Example:

log_file = File.open("./protection.log", "w")
HTTP::Protection::Logger.instance = Logger.new(log_file)

Contributors