Skip to content

Commit 7583e5f

Browse files
ioquatixioquatix
committed
Bump minor version.
1 parent e51e16f commit 7583e5f

File tree

5 files changed

+111
-7
lines changed

5 files changed

+111
-7
lines changed

context/headers.md

Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
# Headers
2+
3+
This guide explains how to work with HTTP headers using `protocol-http`.
4+
5+
## Core Concepts
6+
7+
`protocol-http` provides several core concepts for working with HTTP headers:
8+
9+
- A {ruby Protocol::HTTP::Headers} class which represents a collection of HTTP headers with built-in security and policy features.
10+
- Header-specific classes like {ruby Protocol::HTTP::Header::Accept} and {ruby Protocol::HTTP::Header::Authorization} which provide specialized parsing and formatting.
11+
- Trailer security validation to prevent HTTP request smuggling attacks.
12+
13+
## Usage
14+
15+
The {Protocol::HTTP::Headers} class provides a comprehensive interface for creating and manipulating HTTP headers:
16+
17+
```ruby
18+
require 'protocol/http'
19+
20+
headers = Protocol::HTTP::Headers.new
21+
headers.add('content-type', 'text/html')
22+
headers.add('set-cookie', 'session=abc123')
23+
24+
# Access headers
25+
content_type = headers['content-type'] # => "text/html"
26+
27+
# Check if header exists
28+
headers.include?('content-type') # => true
29+
```
30+
31+
### Header Policies
32+
33+
Different header types have different behaviors for merging, validation, and trailer handling:
34+
35+
```ruby
36+
# Some headers can be specified multiple times
37+
headers.add('set-cookie', 'first=value1')
38+
headers.add('set-cookie', 'second=value2')
39+
40+
# Others are singletons and will raise errors if duplicated
41+
headers.add('content-length', '100')
42+
# headers.add('content-length', '200') # Would raise DuplicateHeaderError
43+
```
44+
45+
### Structured Headers
46+
47+
Some headers have specialized classes for parsing and formatting:
48+
49+
```ruby
50+
# Accept header with media ranges
51+
accept = Protocol::HTTP::Header::Accept.new('text/html,application/json;q=0.9')
52+
media_ranges = accept.media_ranges
53+
54+
# Authorization header
55+
auth = Protocol::HTTP::Header::Authorization.basic('username', 'password')
56+
# => "Basic dXNlcm5hbWU6cGFzc3dvcmQ="
57+
```
58+
59+
### Trailer Security
60+
61+
HTTP trailers are headers that appear after the message body. For security reasons, only certain headers are allowed in trailers:
62+
63+
```ruby
64+
# Working with trailers
65+
headers = Protocol::HTTP::Headers.new([
66+
['content-type', 'text/html'],
67+
['content-length', '1000']
68+
])
69+
70+
# Start trailer section
71+
headers.trailer!
72+
73+
# These will be allowed (safe metadata)
74+
headers.add('etag', '"12345"')
75+
headers.add('date', Time.now.httpdate)
76+
77+
# These will be silently ignored for security
78+
headers.add('authorization', 'Bearer token') # Ignored - credential leakage risk
79+
headers.add('connection', 'close') # Ignored - hop-by-hop header
80+
```
81+
82+
The trailer security system prevents HTTP request smuggling by restricting which headers can appear in trailers:
83+
84+
**Allowed headers** (return `true` for `trailer?`):
85+
- `date` - Response generation timestamps.
86+
- `digest` - Content integrity verification.
87+
- `etag` - Cache validation tags.
88+
- `server-timing` - Performance metrics.
89+
90+
**Forbidden headers** (return `false` for `trailer?`):
91+
- `authorization` - Prevents credential leakage.
92+
- `connection`, `te`, `transfer-encoding` - Hop-by-hop headers that control connection behavior.
93+
- `cookie`, `set-cookie` - State information needed during initial processing.
94+
- `accept` - Content negotiation must occur before response generation.

context/index.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,9 @@ files:
1414
title: Message Body
1515
description: This guide explains how to work with HTTP request and response message
1616
bodies using `Protocol::HTTP::Body` classes.
17+
- path: headers.md
18+
title: Headers
19+
description: This guide explains how to work with HTTP headers using `protocol-http`.
1720
- path: middleware.md
1821
title: Middleware
1922
description: This guide explains how to build and use HTTP middleware with `Protocol::HTTP::Middleware`.

lib/protocol/http/version.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,6 @@
55

66
module Protocol
77
module HTTP
8-
VERSION = "0.53.0"
8+
VERSION = "0.54.0"
99
end
1010
end

readme.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ Please see the [project documentation](https://socketry.github.io/protocol-http/
1818

1919
- [Message Body](https://socketry.github.io/protocol-http/guides/message-body/index) - This guide explains how to work with HTTP request and response message bodies using `Protocol::HTTP::Body` classes.
2020

21+
- [Headers](https://socketry.github.io/protocol-http/guides/headers/index) - This guide explains how to work with HTTP headers using `protocol-http`.
22+
2123
- [Middleware](https://socketry.github.io/protocol-http/guides/middleware/index) - This guide explains how to build and use HTTP middleware with `Protocol::HTTP::Middleware`.
2224

2325
- [Hypertext References](https://socketry.github.io/protocol-http/guides/hypertext-references/index) - This guide explains how to use `Protocol::HTTP::Reference` for constructing and manipulating hypertext references (URLs with parameters).
@@ -32,6 +34,11 @@ Please see the [project documentation](https://socketry.github.io/protocol-http/
3234

3335
Please see the [project releases](https://socketry.github.io/protocol-http/releases/index) for all releases.
3436

37+
### v0.54.0
38+
39+
- Introduce rich support for `Header::Digest`, `Header::ServerTiming`, `Header::TE`, `Header::Trailer` and `Header::TransferEncoding`.
40+
- [Improved HTTP Trailer Security](https://socketry.github.io/protocol-http/releases/index#improved-http-trailer-security)
41+
3542
### v0.53.0
3643

3744
- Improve consistency of Body `#inspect`.

releases.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Releases
22

3-
## Unreleased
3+
## v0.54.0
44

55
- Introduce rich support for `Header::Digest`, `Header::ServerTiming`, `Header::TE`, `Header::Trailer` and `Header::TransferEncoding`.
66

@@ -10,15 +10,15 @@ This release introduces significant security improvements for HTTP trailer handl
1010

1111
- **Security-by-default**: HTTP trailers are now validated and restricted by default to prevent HTTP request smuggling attacks.
1212
- Only safe headers are permitted in trailers:
13-
- `date` - Response generation timestamps (safe metadata)
14-
- `digest` - Content integrity verification (safe metadata)
15-
- `etag` - Cache validation tags (safe metadata)
16-
- `server-timing` - Performance metrics (safe metadata)
13+
- `date` - Response generation timestamps (safe metadata)
14+
- `digest` - Content integrity verification (safe metadata)
15+
- `etag` - Cache validation tags (safe metadata)
16+
- `server-timing` - Performance metrics (safe metadata)
1717
- All other trailers are ignored by default.
1818

1919
If you are using this library for gRPC, you will need to use a custom policy to allow the `grpc-status` and `grpc-message` trailers:
2020

21-
```ruby
21+
``` ruby
2222
module GRPCStatus
2323
def self.new(value)
2424
Integer(value)

0 commit comments

Comments
 (0)