{"id":13483425,"url":"https://github.com/rogeriozambon/http-protection","last_synced_at":"2025-03-27T14:31:17.689Z","repository":{"id":53578010,"uuid":"81837179","full_name":"rogeriozambon/http-protection","owner":"rogeriozambon","description":"This library protects against typical web attacks. It was inspired in rack-protection Ruby gem.","archived":false,"fork":false,"pushed_at":"2023-06-17T15:30:36.000Z","size":49,"stargazers_count":72,"open_issues_count":0,"forks_count":5,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-10-30T17:47:50.609Z","etag":null,"topics":["crystal","http","middlewares","security"],"latest_commit_sha":null,"homepage":null,"language":"Crystal","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rogeriozambon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-13T15:03:19.000Z","updated_at":"2024-05-31T11:54:29.000Z","dependencies_parsed_at":"2024-05-02T20:08:17.100Z","dependency_job_id":null,"html_url":"https://github.com/rogeriozambon/http-protection","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogeriozambon%2Fhttp-protection","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogeriozambon%2Fhttp-protection/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogeriozambon%2Fhttp-protection/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogeriozambon%2Fhttp-protection/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rogeriozambon","download_url":"https://codeload.github.com/rogeriozambon/http-protection/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245863074,"owners_count":20684784,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crystal","http","middlewares","security"],"created_at":"2024-07-31T17:01:11.125Z","updated_at":"2025-03-27T14:31:17.320Z","avatar_url":"https://github.com/rogeriozambon.png","language":"Crystal","funding_links":[],"categories":["HTTP"],"sub_categories":[],"readme":"# http-protection\n\n[![Build Status](https://travis-ci.org/rogeriozambon/http-protection.svg?branch=master)](https://travis-ci.org/rogeriozambon/http-protection)\n[![GitHub license](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/rogeriozambon/http-protection/master/LICENSE)\n\nThis library protects against typical web attacks. It was inspired in rack-protection Ruby gem.\n\n## Installation\n\nAdd this to your application's `shard.yml`:\n\n```yaml\ndependencies:\n  http-protection:\n    github: rogeriozambon/http-protection\n```\n\n## Usage\n\n```crystal\nrequire \"http/server\"\nrequire \"http-protection\"\n\nserver = HTTP::Server.new([\n  HTTP::Protection::Deflect.new,\n  HTTP::Protection::FrameOptions.new,\n  HTTP::Protection::IpSpoofing.new,\n  HTTP::Protection::Origin.new,\n  HTTP::Protection::PathTraversal.new,\n  HTTP::Protection::RemoteReferer.new,\n  HTTP::Protection::StrictTransport.new,\n  HTTP::Protection::XSSHeader.new\n])\n\nserver.bind_tcp \"0.0.0.0\", 8080\nserver.listen\n```\n\n### Deflect middleware\n\nIt protects against Denial-of-service attacks. You can define a several options for this middleware.\n\n| Option    | Description                                                 | Default value | Type          |\n| --------- | ----------------------------------------------------------- | ------------- | ------------- |\n| interval  | Duration in seconds until the request counter is reset.     | 5             | Int32         |\n| duration  | Duration in seconds that a remote address will be blocked.  | 900           | Int32         |\n| threshold | Number of requests allowed.                                 | 100           | Int32         |\n| blacklist | Array of remote addresses immediately considered malicious. | []            | Array(String) |\n| whitelist | Array of remote addresses which bypass Deflect.             | []            | Array(String) |\n\n**Example:**\n\n```crystal\nHTTP::Protection::Deflect.new(\n  interval: 5,\n  duration: 5,\n  threshold: 10,\n  blacklist: [\"111.111.111.111\"],\n  whitelist: [\"222.222.222.222\"]\n)\n```\n\n### FrameOptions middleware\n\nIt protects against clickjacking, setting header to tell the browser avoid embedding the page in a frame. You can define one option for this middleware.\n\n| Option | Description                                                                             | Default value | Type   |\n| ------ | --------------------------------------------------------------------------------------- | ------------- | ------ |\n| option | Defines who should be allowed to embed the page in a frame. Use \"DENY\" or \"SAMEORIGIN\". | SAMEORIGIN    | String |\n\n**Example:**\n\n```crystal\nHTTP::Protection::FrameOptions.new(option: \"SAMEORIGIN\")\n```\n\n### IpSpoofing middleware\n\nIt detects IP spoofing attacks.\n\n**Example:**\n\n```crystal\nHTTP::Protection::IpSpoofing.new\n```\n\n### Origin middleware\n\nIt protects against unsafe HTTP requests when value of Origin HTTP request header doesn't match default or whitelisted URIs. You can define the whitelist of URIs.\n\n| Option    | Description           | Default value | Type          |\n| --------- | --------------------- | ------------- | ------------- |\n| whitelist | Array of allowed URIs | []            | Array(String) |\n\n**Example:**\n\n```crystal\nHTTP::Protection::Origin.new(whitelist: [\"http://friend.com\"])\n```\n\n### PathTraversal middleware\n\nIt protects against unauthorized access to file system attacks, unescapes '/' and '.' from PATH_INFO.\n\n**Example:**\n\n```crystal\nHTTP::Protection::PathTraversal.new\n```\n\n### RemoteReferer middleware\n\nIt doesn't accept unsafe HTTP requests if the Referer header is set to a different host. You can define the HTTP methods that are allowed.\n\n| Option  | Description                               | Default value             | Type          |\n| ------- | ----------------------------------------- | ------------------------- | ------------- |\n| methods | Defines which HTTP method should be used. | GET, HEAD, OPTIONS, TRACE | Array(String) |\n\n**Example:**\n\n```crystal\nHTTP::Protection::RemoteReferer.new(methods: [\"GET\"])\n```\n\n### StrictTransport middleware\n\nIt protects against protocol downgrade attacks and cookie hijacking. You can define some options for this middleware.\n\n| Option             | Description                                                               | Default value | Type  |\n| ------------------ | ------------------------------------------------------------------------- | ------------- | ----- |\n| max_age            | How long future requests to the domain should go over HTTPS (in seconds). | 31536000      | Int32 |\n| include_subdomains | If all present and future subdomains will be HTTPS.                       | false         | Bool  |\n| preload            | Allow this domain to be included in browsers HSTS preload list.           | false         | Bool  |\n\n**Example:**\n\n```crystal\nHTTP::Protection::StrictTransport.new(\n  max_age: 31536000,\n  include_subdomains: false,\n  preload: false\n)\n```\n\n### XSSHeader middleware\n\nIt sets X-XSS-Protection header to tell the browser to block attacks. XSS vulnerabilities enable an attacker to control the relationship between a user and a web site or web application that they trust.\n\nYou can define some options for this middleware.\n\n| Option   | Description                                                    | Default value | Type   |\n| -------- | -------------------------------------------------------------- | ------------- | ------ |\n| xss_mode | How the browser should prevent the attack.                     | block         | String |\n| nosniff  | Blocks a request if the requested type is \"style\" or \"script\". | true          | Bool   |\n\n**Example:**\n\n```crystal\nHTTP::Protection::XSSHeader.new(\n  xss_mode: \"block\"\n  nosniff: true\n)\n```\n\n### Custom logger\n\nIt's possible to add a custom logger to replace the default behavior. You can add a logger that outputs to a file, for example.\n\n**Example:**\n\n```crystal\nlog_file = File.open(\"./protection.log\", \"w\")\nHTTP::Protection::Logger.instance = Logger.new(log_file)\n```\n\n## Contributors\n\n- [rogeriozambon](https://github.com/rogeriozambon) Rogério Zambon - creator, maintainer\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frogeriozambon%2Fhttp-protection","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frogeriozambon%2Fhttp-protection","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frogeriozambon%2Fhttp-protection/lists"}