/http-protection

This library protects against typical web attacks. It was inspired in rack-protection Ruby gem.

Primary LanguageCrystalMIT LicenseMIT

http-protection

Build Status GitHub license

This library protects against typical web attacks. It was inspired in rack-protection Ruby gem.

Installation

Add this to your application's shard.yml:

dependencies:
  http-protection:
    github: rogeriozambon/http-protection

Usage

require "http/server"
require "http-protection"

server = HTTP::Server.new([
  HTTP::Protection::Deflect.new,
  HTTP::Protection::FrameOptions.new,
  HTTP::Protection::IpSpoofing.new,
  HTTP::Protection::Origin.new,
  HTTP::Protection::PathTraversal.new,
  HTTP::Protection::RemoteReferer.new,
  HTTP::Protection::StrictTransport.new,
  HTTP::Protection::XSSHeader.new
])

server.bind_tcp "0.0.0.0", 8080
server.listen

Deflect middleware

It protects against Denial-of-service attacks. You can define a several options for this middleware.

Option Description Default value Type
interval Duration in seconds until the request counter is reset. 5 Int32
duration Duration in seconds that a remote address will be blocked. 900 Int32
threshold Number of requests allowed. 100 Int32
blacklist Array of remote addresses immediately considered malicious. [] Array(String)
whitelist Array of remote addresses which bypass Deflect. [] Array(String)

Example:

HTTP::Protection::Deflect.new(
  interval: 5,
  duration: 5,
  threshold: 10,
  blacklist: ["111.111.111.111"],
  whitelist: ["222.222.222.222"]
)

FrameOptions middleware

It protects against clickjacking, setting header to tell the browser avoid embedding the page in a frame. You can define one option for this middleware.

Option Description Default value Type
option Defines who should be allowed to embed the page in a frame. Use "DENY" or "SAMEORIGIN". SAMEORIGIN String

Example:

HTTP::Protection::FrameOptions.new(option: "SAMEORIGIN")

IpSpoofing middleware

It detects IP spoofing attacks.

Example:

HTTP::Protection::IpSpoofing.new

Origin middleware

It protects against unsafe HTTP requests when value of Origin HTTP request header doesn't match default or whitelisted URIs. You can define the whitelist of URIs.

Option Description Default value Type
whitelist Array of allowed URIs [] Array(String)

Example:

HTTP::Protection::Origin.new(whitelist: ["http://friend.com"])

PathTraversal middleware

It protects against unauthorized access to file system attacks, unescapes '/' and '.' from PATH_INFO.

Example:

HTTP::Protection::PathTraversal.new

RemoteReferer middleware

It doesn't accept unsafe HTTP requests if the Referer header is set to a different host. You can define the HTTP methods that are allowed.

Option Description Default value Type
methods Defines which HTTP method should be used. GET, HEAD, OPTIONS, TRACE Array(String)

Example:

HTTP::Protection::RemoteReferer.new(methods: ["GET"])

StrictTransport middleware

It protects against protocol downgrade attacks and cookie hijacking. You can define some options for this middleware.

Option Description Default value Type
max_age How long future requests to the domain should go over HTTPS (in seconds). 31536000 Int32
include_subdomains If all present and future subdomains will be HTTPS. false Bool
preload Allow this domain to be included in browsers HSTS preload list. false Bool

Example:

HTTP::Protection::StrictTransport.new(
  max_age: 31536000,
  include_subdomains: false,
  preload: false
)

XSSHeader middleware

It sets X-XSS-Protection header to tell the browser to block attacks. XSS vulnerabilities enable an attacker to control the relationship between a user and a web site or web application that they trust.

You can define some options for this middleware.

Option Description Default value Type
xss_mode How the browser should prevent the attack. block String
nosniff Blocks a request if the requested type is "style" or "script". true Bool

Example:

HTTP::Protection::XSSHeader.new(
  xss_mode: "block"
  nosniff: true
)

Custom logger

It's possible to add a custom logger to replace the default behavior. You can add a logger that outputs to a file, for example.

Example:

log_file = File.open("./protection.log", "w")
HTTP::Protection::Logger.instance = Logger.new(log_file)

Contributors