Class: Otto::Response

Inherits:

Rack::Response

• Object
• Rack::Response
• Otto::Response

Defined in:

lib/otto/response.rb

Overview

Otto’s enhanced Rack::Response class with built-in helpers

This class extends Rack::Response with Otto’s framework helpers for HTTP response handling, cookie management, CSP headers, and security. Projects can register additional helpers via Otto#register_response_helpers.

Examples:

Using Otto’s response in route handlers

def show(req, res)
  res.send_secure_cookie('session_id', token, 3600)
  res.send_csp_headers('text/html', nonce)
  res.no_cache!
end

See Also:

• #register_response_helpers

Instance Attribute Summary

• #request ⇒ Otto::Request

  Reference to the request object (needed by some response helpers).

Instance Method Summary

• #app_path(*paths) ⇒ String

  Build application path by joining path segments.

• #cookie_security_headers ⇒ Object
• #no_cache! ⇒ void

  Set cache control headers to prevent caching.

• #send_csp_headers(content_type, nonce, opts = {}) ⇒ void

  Set Content Security Policy (CSP) headers with nonce support.

• #send_secure_cookie(name, value, ttl, opts = {}) ⇒ Object
• #send_session_cookie(name, value, opts = {}) ⇒ Object

Instance Attribute Details

#request ⇒ Otto::Request

Reference to the request object (needed by some response helpers)

Returns:

• (Otto::Request)

# File 'lib/otto/response.rb', line 25

def request
  @request
end

Instance Method Details

#app_path(*paths) ⇒ String

Build application path by joining path segments

This method safely joins multiple path segments, handling duplicate slashes and ensuring proper path formatting. Includes the script name (mount point) as the first segment.

Examples:

app_path('api', 'v1', 'users')
# => "/myapp/api/v1/users"

app_path(['admin', 'settings'])
# => "/myapp/admin/settings"

Parameters:

• paths (Array<String>) —

  Path segments to join

Returns:

• (String) —

  Properly formatted path

# File 'lib/otto/response.rb', line 185

def app_path(*paths)
  paths = paths.flatten.compact
  paths.unshift(request.env['SCRIPT_NAME']) if request&.env&.[]('SCRIPT_NAME')
  paths.join('/').gsub('//', '/')
end

#cookie_security_headers ⇒ Object

# File 'lib/otto/response.rb', line 81

def cookie_security_headers
  # Add security headers that complement cookie security
  headers = {}

  # Prevent MIME type sniffing
  headers['x-content-type-options'] = 'nosniff'

  # Add referrer policy
  headers['referrer-policy'] = 'strict-origin-when-cross-origin'

  # Add frame options
  headers['x-frame-options'] = 'DENY'

  # Add XSS protection
  headers['x-xss-protection'] = '1; mode=block'

  headers
end

#no_cache! ⇒ void

This method returns an undefined value.

Set cache control headers to prevent caching

This method sets comprehensive cache control headers to ensure that the response is not cached by browsers, proxies, or CDNs. This is particularly useful for sensitive pages or dynamic content that should always be fresh.

Examples:

res.no_cache!

# File 'lib/otto/response.rb', line 163

def no_cache!
  headers['cache-control'] = 'no-store, no-cache, must-revalidate, max-age=0'
  headers['expires']       = 'Mon, 7 Nov 2011 00:00:00 UTC'
  headers['pragma']        = 'no-cache'
end

#send_csp_headers(content_type, nonce, opts = {}) ⇒ void

This method returns an undefined value.

Set Content Security Policy (CSP) headers with nonce support

This method generates and sets CSP headers with the provided nonce value, following the same usage pattern as send_cookie methods. The CSP policy is generated dynamically based on the security configuration and environment.

Examples:

Basic usage

nonce = SecureRandom.base64(16)
res.send_csp_headers('text/html; charset=utf-8', nonce)

With options

res.send_csp_headers('text/html; charset=utf-8', nonce, {
  development_mode: Rails.env.development?,
  debug: true
})

Parameters:

• content_type (String) —

  Content-Type header value to set

• nonce (String) —

  Nonce value to include in CSP directives

• opts (Hash) (defaults to: {}) —

  Options for CSP generation

Options Hash (opts):

• :security_config (Otto::Security::Config) —

  Security config to use

• :development_mode (Boolean) —

  Use development-friendly CSP directives

• :debug (Boolean) —

  Enable debug logging for this request

# File 'lib/otto/response.rb', line 123

def send_csp_headers(content_type, nonce, opts = {})
  # Set content type if not already set
  headers['content-type'] ||= content_type

  # Warn if CSP header already exists but don't skip
  warn 'CSP header already set, overriding with nonce-based policy' if headers['content-security-policy']

  # Get security configuration
  security_config = opts[:security_config] ||
                    (request&.env && request.env['otto.security_config']) ||
                    nil

  # Skip if CSP nonce support is not enabled
  return unless security_config&.csp_nonce_enabled?

  # Generate CSP policy with nonce
  development_mode = opts[:development_mode] || false
  csp_policy       = security_config.generate_nonce_csp(nonce, development_mode: development_mode)

  # Debug logging if enabled
  debug_enabled = opts[:debug] || security_config.debug_csp?
  if debug_enabled && defined?(Otto.logger)
    Otto.logger.debug "[CSP] #{csp_policy}"
  end

  # Set the CSP header
  headers['content-security-policy'] = csp_policy
end

#send_secure_cookie(name, value, ttl, opts = {}) ⇒ Object

# File 'lib/otto/response.rb', line 27

def send_secure_cookie(name, value, ttl, opts = {})
  # Default security options
  defaults = {
       secure: true,
     httponly: true,
    same_site: :strict,
         path: '/',
  }

  # Merge with provided options
  cookie_opts = defaults.merge(opts)

  # Set expiration using max-age (preferred) and expires (fallback)
  if ttl&.positive?
    cookie_opts[:max_age] = ttl
    cookie_opts[:expires] = (Time.now.utc + ttl + 10)
  elsif ttl&.negative?
    # For deletion, set both to past date
    cookie_opts[:max_age] = 0
    cookie_opts[:expires] = Time.now.utc - 86_400
  end

  # Set the cookie value
  cookie_opts[:value] = value

  # Validate SameSite attribute
  valid_same_site         = [:strict, :lax, :none, 'Strict', 'Lax', 'None']
  cookie_opts[:same_site] = :strict unless valid_same_site.include?(cookie_opts[:same_site])

  # If SameSite=None, Secure must be true
  cookie_opts[:secure] = true if cookie_opts[:same_site].to_s.downcase == 'none'

  set_cookie name, cookie_opts
end

#send_session_cookie(name, value, opts = {}) ⇒ Object

# File 'lib/otto/response.rb', line 62

def send_session_cookie(name, value, opts = {})
  # Session cookies don't have expiration
  session_opts = opts.merge(
    secure: true,
    httponly: true,
    samesite: :strict
  )

  # Remove expiration-related options for session cookies
  session_opts.delete(:max_age)
  session_opts.delete(:expires)

  # Adjust secure flag for local development
  session_opts[:secure] = false if request.local?

  session_opts[:value] = value
  set_cookie name, session_opts
end