Module: Otto::Security::Core

Included in:
Otto
Defined in:
lib/otto/security/core.rb

Overview

Core security configuration methods included in the Otto class. Provides the public API for enabling and configuring security features.

Instance Method Summary collapse

Instance Method Details

#add_auth_strategy(name, strategy) ⇒ Object

Add an authentication strategy with a registered name

This is the primary public API for registering authentication strategies. The name you provide here will be available as ‘strategy_result.strategy_name` in your application code, making it easy to identify which strategy authenticated the current request.

Also available via Otto::Security::Configurator for consolidated security config.

Examples:

otto.add_auth_strategy('session', SessionStrategy.new(session_key: 'user_id'))
otto.add_auth_strategy('api_key', APIKeyStrategy.new)

Parameters:

  • name (String, Symbol)

    Strategy name (e.g., ‘session’, ‘api_key’, ‘jwt’)

  • strategy (AuthStrategy)

    Strategy instance

Raises:

  • (ArgumentError)

    if strategy name already registered



153
154
155
156
157
158
159
160
161
162
163
164
 
# File 'lib/otto/security/core.rb', line 153

def add_auth_strategy(name, strategy)
  ensure_not_frozen!
  # Ensure auth_config is initialized (handles edge case where it might be nil)
  @auth_config = { auth_strategies: {}, default_auth_strategy: 'noauth' } if @auth_config.nil?

  # Strict mode: Detect strategy name collisions
  if @auth_config[:auth_strategies].key?(name)
    raise ArgumentError, "Authentication strategy '#{name}' is already registered"
  end

  @auth_config[:auth_strategies][name] = strategy
end

#add_rate_limit_rule(name, options) ⇒ Object

Add a custom rate limiting rule.

Examples:

otto.add_rate_limit_rule('uploads', limit: 5, period: 300, condition: ->(req) { req.post? && req.path.include?('upload') })

Parameters:

  • name (String, Symbol)

    Rule name

  • options (Hash)

    Rule configuration

Options Hash (options):

  • :limit (Integer)

    Maximum requests

  • :period (Integer)

    Time period in seconds (default: 60)

  • :condition (Proc)

    Optional condition proc that receives request



62
63
64
65
 
# File 'lib/otto/security/core.rb', line 62

def add_rate_limit_rule(name, options)
  ensure_not_frozen!
  @security_config.rate_limiting_config[:custom_rules][name.to_s] = options
end

#add_trusted_proxy(proxy) ⇒ Object

Add a trusted proxy server for accurate client IP detection. Only requests from trusted proxies will have their forwarded headers honored.

Examples:

otto.add_trusted_proxy('10.0.0.0/8')
otto.add_trusted_proxy(/^172\.16\./)

Parameters:

  • proxy (String, Regexp)

    IP address, CIDR range, or regex pattern



74
75
76
77
 
# File 'lib/otto/security/core.rb', line 74

def add_trusted_proxy(proxy)
  ensure_not_frozen!
  @security_config.add_trusted_proxy(proxy)
end

#enable_csp!(policy = "default-src 'self'") ⇒ Object

Enable Content Security Policy (CSP) header to prevent XSS attacks. The default policy only allows resources from the same origin.

Examples:

otto.enable_csp!("default-src 'self'; script-src 'self' 'unsafe-inline'")

Parameters:

  • policy (String) (defaults to: "default-src 'self'")

    CSP policy string (default: “default-src ‘self’”)



112
113
114
115
 
# File 'lib/otto/security/core.rb', line 112

def enable_csp!(policy = "default-src 'self'")
  ensure_not_frozen!
  @security_config.enable_csp!(policy)
end

#enable_csp_with_nonce!(debug: false) ⇒ Object

Enable Content Security Policy (CSP) with nonce support for dynamic header generation. This enables the res.send_csp_headers response helper method.

Examples:

otto.enable_csp_with_nonce!(debug: true)

Parameters:

  • debug (Boolean) (defaults to: false)

    Enable debug logging for CSP headers (default: false)



133
134
135
136
 
# File 'lib/otto/security/core.rb', line 133

def enable_csp_with_nonce!(debug: false)
  ensure_not_frozen!
  @security_config.enable_csp_with_nonce!(debug: debug)
end

#enable_csrf_protection!Object

Enable CSRF protection for POST, PUT, DELETE, and PATCH requests. This will automatically add CSRF tokens to HTML forms and validate them on unsafe HTTP methods.

Examples:

otto.enable_csrf_protection!


16
17
18
19
20
21
22
 
# File 'lib/otto/security/core.rb', line 16

def enable_csrf_protection!
  ensure_not_frozen!
  return if @middleware.includes?(Otto::Security::Middleware::CSRFMiddleware)

  @security_config.enable_csrf_protection!
  use Otto::Security::Middleware::CSRFMiddleware
end

#enable_frame_protection!(option = 'SAMEORIGIN') ⇒ Object

Enable X-Frame-Options header to prevent clickjacking attacks.

Examples:

otto.enable_frame_protection!('DENY')

Parameters:

  • option (String) (defaults to: 'SAMEORIGIN')

    Frame options: ‘DENY’, ‘SAMEORIGIN’, or ‘ALLOW-FROM uri’



122
123
124
125
 
# File 'lib/otto/security/core.rb', line 122

def enable_frame_protection!(option = 'SAMEORIGIN')
  ensure_not_frozen!
  @security_config.enable_frame_protection!(option)
end

#enable_hsts!(max_age: 31_536_000, include_subdomains: true) ⇒ Object

Enable HTTP Strict Transport Security (HSTS) header. WARNING: This can make your domain inaccessible if HTTPS is not properly configured. Only enable this when you’re certain HTTPS is working correctly.

Examples:

otto.enable_hsts!(max_age: 86400, include_subdomains: false)

Parameters:

  • max_age (Integer) (defaults to: 31_536_000)

    Maximum age in seconds (default: 1 year)

  • include_subdomains (Boolean) (defaults to: true)

    Apply to all subdomains (default: true)



101
102
103
104
 
# File 'lib/otto/security/core.rb', line 101

def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
  ensure_not_frozen!
  @security_config.enable_hsts!(max_age: max_age, include_subdomains: include_subdomains)
end

#enable_rate_limiting!(options = {}) ⇒ Object

Enable rate limiting to protect against abuse and DDoS attacks. This will automatically add rate limiting rules based on client IP.

Examples:

otto.enable_rate_limiting!(requests_per_minute: 50)

Parameters:

  • options (Hash) (defaults to: {})

    Rate limiting configuration options

Options Hash (options):

  • :requests_per_minute (Integer)

    Maximum requests per minute per IP (default: 100)

  • :custom_rules (Hash)

    Custom rate limiting rules



45
46
47
48
49
50
51
 
# File 'lib/otto/security/core.rb', line 45

def enable_rate_limiting!(options = {})
  ensure_not_frozen!
  return if @middleware.includes?(Otto::Security::Middleware::RateLimitMiddleware)

  @security.configure_rate_limiting(options)
  use Otto::Security::Middleware::RateLimitMiddleware
end

#enable_request_validation!Object

Enable request validation including input sanitization, size limits, and protection against XSS and SQL injection attacks.

Examples:

otto.enable_request_validation!


29
30
31
32
33
34
35
 
# File 'lib/otto/security/core.rb', line 29

def enable_request_validation!
  ensure_not_frozen!
  return if @middleware.includes?(Otto::Security::Middleware::ValidationMiddleware)

  @security_config.input_validation = true
  use Otto::Security::Middleware::ValidationMiddleware
end

#set_security_headers(headers) ⇒ Object

Set custom security headers that will be added to all responses. These merge with the default security headers.

Examples:

otto.set_security_headers({
  'content-security-policy' => "default-src 'self'",
  'strict-transport-security' => 'max-age=31536000'
})

Parameters:

  • headers (Hash)

    Hash of header name => value pairs



88
89
90
91
 
# File 'lib/otto/security/core.rb', line 88

def set_security_headers(headers)
  ensure_not_frozen!
  @security_config.security_headers.merge!(headers)
end