From 1a595ee086591d827d85e9e29205348b89412369 Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Fri, 6 Feb 2015 11:49:08 -0500 Subject: [PATCH 1/4] refactor headers a bit --- lib/site-inspector/headers.rb | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/lib/site-inspector/headers.rb b/lib/site-inspector/headers.rb index deeaa91..268149a 100644 --- a/lib/site-inspector/headers.rb +++ b/lib/site-inspector/headers.rb @@ -3,7 +3,7 @@ class SiteInspector # cookies can have multiple set-cookie headers, so this detects # whether cookies are set, but not all their values. def has_cookies? - !!header_from("Set-Cookie") + !!headers["set-cookie"] end def strict_transport_security? @@ -21,23 +21,24 @@ def click_jacking_protection? # return the found header value def strict_transport_security - header_from("Strict-Transport-Security") + puts response.inspect + headers["strict-transport-security"] end def content_security_policy - header_from("Content-Security-Policy") + headers["content-security-policy"] end def click_jacking_protection - header_from("X-Frame-Options") + headers["x-frame-options"] end def server - header_from("Server") + headers["server"] end def xss_protection - header_from("X-XSS-Protection") + headers["x-xss-protection"] end # more specific checks than presence of headers @@ -46,19 +47,14 @@ def xss_protection? end def secure_cookies? - return nil if !response || !has_cookies? - cookie = header_from("Set-Cookie") + return nil if !has_cookies? + cookie = headers["set-cookie"] cookie = cookie.first if cookie.is_a?(Array) - marked_secure = !!(cookie.downcase =~ /secure/) - marked_http_only = !!(cookie.downcase =~ /httponly/) - marked_secure and marked_http_only + !!(cookie.downcase =~ /secure/) && !!(cookie.downcase =~ /httponly/) end - # helper function: case-insensitive sweep for header, return value - def header_from(header) - return nil unless response - - the_header = response.headers.keys.find {|h| h.downcase =~ /^#{header.downcase}/} - response.headers[the_header] + # Returns an array of hashes of downcased key/value header pairs (or nil) + def headers + @headers ||= Hash[response.headers.map{ |k,v| [k.downcase,v] }] if response end end From ff777fa3704d6762362a80aad627fe60e88b962a Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Fri, 6 Feb 2015 11:50:52 -0500 Subject: [PATCH 2/4] remove debug infos --- lib/site-inspector/headers.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/site-inspector/headers.rb b/lib/site-inspector/headers.rb index 268149a..13ea144 100644 --- a/lib/site-inspector/headers.rb +++ b/lib/site-inspector/headers.rb @@ -21,7 +21,6 @@ def click_jacking_protection? # return the found header value def strict_transport_security - puts response.inspect headers["strict-transport-security"] end From ef67f8277eb2f4907f1aa8368819f8dc5ea0cbde Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Fri, 6 Feb 2015 14:47:06 -0500 Subject: [PATCH 3/4] smarter cookie type detection --- lib/site-inspector/headers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/site-inspector/headers.rb b/lib/site-inspector/headers.rb index 13ea144..c20d82f 100644 --- a/lib/site-inspector/headers.rb +++ b/lib/site-inspector/headers.rb @@ -49,7 +49,7 @@ def secure_cookies? return nil if !has_cookies? cookie = headers["set-cookie"] cookie = cookie.first if cookie.is_a?(Array) - !!(cookie.downcase =~ /secure/) && !!(cookie.downcase =~ /httponly/) + !!(cookie =~ /; (secure|httponly)/i) end # Returns an array of hashes of downcased key/value header pairs (or nil) From 990207915dba710449375711b3ab64facd7419a0 Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Fri, 6 Feb 2015 14:50:58 -0500 Subject: [PATCH 4/4] update regex --- lib/site-inspector/headers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/site-inspector/headers.rb b/lib/site-inspector/headers.rb index c20d82f..00c20e8 100644 --- a/lib/site-inspector/headers.rb +++ b/lib/site-inspector/headers.rb @@ -49,7 +49,7 @@ def secure_cookies? return nil if !has_cookies? cookie = headers["set-cookie"] cookie = cookie.first if cookie.is_a?(Array) - !!(cookie =~ /; (secure|httponly)/i) + !!(cookie =~ /(; secure.*; httponly|; httponly.*; secure)/i) end # Returns an array of hashes of downcased key/value header pairs (or nil)