secure_headers 0.4.3 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

data/HISTORY.md CHANGED
@@ -1,3 +1,8 @@
1
+ 0.5.0
2
+ ======
3
+
4
+ X-Content-Type-Options also applied to Chrome requests
5
+
1
6
  0.4.3
2
7
  ======
3
8
 
data/README.md CHANGED
@@ -3,7 +3,7 @@
3
3
  The gem will automatically apply several headers that are related to security. This includes:
4
4
  - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 1.1 Specification](https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
5
5
  - HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. [HSTS Specification](https://tools.ietf.org/html/rfc6797)
6
- - X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00)
6
+ - X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
7
7
  - X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
8
8
  - X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
9
9
 
@@ -101,7 +101,7 @@ header will be constructed using the supplied options.
101
101
  ### Widely supported
102
102
 
103
103
  ```ruby
104
- :hsts => {:max_age => 631138519, :include_subdomain => true}
104
+ :hsts => {:max_age => 631138519, :include_subdomains => true}
105
105
  :x_frame_options => {:value => 'SAMEORIGIN'}
106
106
  :x_xss_protection => {:value => 1, :mode => false} # set the :mode option to 'block' to enforce the browser's xss filter
107
107
  ```
@@ -2,7 +2,7 @@
2
2
  config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
3
3
  config.x_frame_options = 'SAMEORIGIN'
4
4
  config.x_content_type_options = "nosniff"
5
- config.x_xss_protection = {:value => 1, :mode => 'BLOCK'}
5
+ config.x_xss_protection = {:value => 1, :mode => 'block'}
6
6
  csp = {
7
7
  :default_src => "self",
8
8
  :disable_chrome_extension => true,
@@ -12,4 +12,4 @@
12
12
  }
13
13
 
14
14
  config.csp = csp
15
- end
15
+ end
@@ -7,14 +7,14 @@ describe OtherThingsController do
7
7
  request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
8
8
  end
9
9
 
10
- it "sets the X-XSS-PROTECTION header" do
10
+ it "sets the X-XSS-Protection header" do
11
11
  get :index
12
- response.headers['X-XSS-Protection'].should == '1; mode=BLOCK'
12
+ response.headers['X-XSS-Protection'].should == '1; mode=block'
13
13
  end
14
14
 
15
- it "sets the X-FRAME-OPTIONS header" do
15
+ it "sets the X-Frame-Options header" do
16
16
  get :index
17
- response.headers['X-FRAME-OPTIONS'].should == 'SAMEORIGIN'
17
+ response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
18
18
  end
19
19
 
20
20
  it "sets the X-WebKit-CSP header" do
@@ -23,14 +23,19 @@ describe OtherThingsController do
23
23
  end
24
24
 
25
25
  #mock ssl
26
- it "sets the STRICT-TRANSPORT-SECURITY header" do
26
+ it "sets the Strict-Transport-Security header" do
27
27
  request.env['HTTPS'] = 'on'
28
28
  get :index
29
29
  response.headers['Strict-Transport-Security'].should == "max-age=315576000"
30
30
  end
31
31
 
32
+ it "sets the X-Content-Type-Options header" do
33
+ get :index
34
+ response.headers['X-Content-Type-Options'].should == "nosniff"
35
+ end
36
+
32
37
  context "using IE" do
33
- it "sets the X-CONTENT-TYPE-OPTIONS header" do
38
+ it "sets the X-Content-Type-Options header" do
34
39
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
35
40
  get :index
36
41
  response.headers['X-Content-Type-Options'].should == "nosniff"
@@ -11,14 +11,14 @@ describe ThingsController do
11
11
  request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
12
12
  end
13
13
 
14
- it "sets the X-XSS-PROTECTION header" do
14
+ it "sets the X-XSS-Protection header" do
15
15
  get :index
16
- response.headers['X-XSS-Protection'].should == '1; mode=BLOCK'
16
+ response.headers['X-XSS-Protection'].should == '1; mode=block'
17
17
  end
18
18
 
19
- it "sets the X-FRAME-OPTIONS header" do
19
+ it "sets the X-Frame-Options header" do
20
20
  get :index
21
- response.headers['X-FRAME-OPTIONS'].should == 'SAMEORIGIN'
21
+ response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
22
22
  end
23
23
 
24
24
  it "sets the X-WebKit-CSP header" do
@@ -27,14 +27,19 @@ describe ThingsController do
27
27
  end
28
28
 
29
29
  #mock ssl
30
- it "sets the STRICT-TRANSPORT-SECURITY header" do
30
+ it "sets the Strict-Transport-Security header" do
31
31
  request.env['HTTPS'] = 'on'
32
32
  get :index
33
33
  response.headers['Strict-Transport-Security'].should == "max-age=315576000"
34
34
  end
35
35
 
36
+ it "sets the X-Content-Type-Options header" do
37
+ get :index
38
+ response.headers['X-Content-Type-Options'].should == "nosniff"
39
+ end
40
+
36
41
  context "using IE" do
37
- it "sets the X-CONTENT-TYPE-OPTIONS header" do
42
+ it "sets the X-Content-Type-Options header" do
38
43
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
39
44
  get :index
40
45
  response.headers['X-Content-Type-Options'].should == "nosniff"
@@ -44,4 +49,4 @@ describe ThingsController do
44
49
  end
45
50
 
46
51
 
47
- # response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; report-uri somewhere"
52
+ # response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; report-uri somewhere"
@@ -7,14 +7,14 @@ describe OtherThingsController do
7
7
  request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
8
8
  end
9
9
 
10
- it "sets the X-XSS-PROTECTION header" do
10
+ it "sets the X-XSS-Protection header" do
11
11
  get :index
12
12
  response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
13
13
  end
14
14
 
15
- it "sets the X-FRAME-OPTIONS header" do
15
+ it "sets the X-Frame-Options header" do
16
16
  get :index
17
- response.headers['X-FRAME-OPTIONS'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
17
+ response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
18
18
  end
19
19
 
20
20
  it "sets the X-WebKit-CSP header" do
@@ -23,17 +23,22 @@ describe OtherThingsController do
23
23
  end
24
24
 
25
25
  #mock ssl
26
- it "sets the STRICT-TRANSPORT-SECURITY header" do
26
+ it "sets the Strict-Transport-Security header" do
27
27
  request.env['HTTPS'] = 'on'
28
28
  get :index
29
29
  response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
30
30
  end
31
31
 
32
+ it "sets the X-Content-Type-Options header" do
33
+ get :index
34
+ response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
35
+ end
36
+
32
37
  context "using IE" do
33
- it "sets the X-CONTENT-TYPE-OPTIONS header" do
38
+ it "sets the X-Content-Type-Options header" do
34
39
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
35
40
  get :index
36
- response.headers['X-Content-Type-Options'].should == "nosniff"
41
+ response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
37
42
  end
38
43
  end
39
44
  end
@@ -11,14 +11,14 @@ describe ThingsController do
11
11
  request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
12
12
  end
13
13
 
14
- it "sets the X-XSS-PROTECTION header" do
14
+ it "sets the X-XSS-Protection header" do
15
15
  get :index
16
16
  response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
17
17
  end
18
18
 
19
- it "sets the X-FRAME-OPTIONS header" do
19
+ it "sets the X-Frame-Options header" do
20
20
  get :index
21
- response.headers['X-FRAME-OPTIONS'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
21
+ response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
22
22
  end
23
23
 
24
24
  it "sets the X-WebKit-CSP header" do
@@ -27,17 +27,22 @@ describe ThingsController do
27
27
  end
28
28
 
29
29
  #mock ssl
30
- it "sets the STRICT-TRANSPORT-SECURITY header" do
30
+ it "sets the Strict-Transport-Security header" do
31
31
  request.env['HTTPS'] = 'on'
32
32
  get :index
33
33
  response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
34
34
  end
35
35
 
36
+ it "sets the X-Content-Type-Options header" do
37
+ get :index
38
+ response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
39
+ end
40
+
36
41
  context "using IE" do
37
- it "sets the X-CONTENT-TYPE-OPTIONS header" do
42
+ it "sets the X-Content-Type-Options header" do
38
43
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
39
44
  get :index
40
- response.headers['X-Content-Type-Options'].should == "nosniff"
45
+ response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
41
46
  end
42
47
  end
43
48
  end
@@ -85,7 +85,7 @@ module SecureHeaders
85
85
  end
86
86
 
87
87
  def set_x_content_type_options_header(options=self.class.secure_headers_options[:x_content_type_options])
88
- return unless brwsr.ie?
88
+ return unless brwsr.ie? || brwsr.chrome?
89
89
  set_a_header(:x_content_type_options, XContentTypeOptions, options)
90
90
  end
91
91
 
@@ -113,7 +113,6 @@ module SecureHeaders
113
113
  end
114
114
 
115
115
  def broken_implementation?(browser)
116
- #IOS 5 sometimes refuses to load external resources even when whitelisted with CSP
117
116
  return browser.ios5? || (browser.safari? && browser.version == 5)
118
117
  end
119
118
  end
@@ -2,9 +2,9 @@ module SecureHeaders
2
2
  class XFOBuildError < StandardError; end
3
3
  class XFrameOptions
4
4
  module Constants
5
- XFO_HEADER_NAME = "X-FRAME-OPTIONS"
5
+ XFO_HEADER_NAME = "X-Frame-Options"
6
6
  DEFAULT_VALUE = 'SAMEORIGIN'
7
- VALID_XFO_HEADER = /\A(SAMEORIGIN\z|DENY\z|ALLOW-FROM:)/i
7
+ VALID_XFO_HEADER = /\A(SAMEORIGIN\z|DENY\z|ALLOW-FROM[:\s])/i
8
8
  end
9
9
  include Constants
10
10
 
@@ -37,4 +37,4 @@ module SecureHeaders
37
37
  end
38
38
  end
39
39
  end
40
- end
40
+ end
@@ -1,6 +1,5 @@
1
1
  module SecureHeaders
2
2
  class XXssProtectionBuildError < StandardError; end
3
- # IE only
4
3
  class XXssProtection
5
4
  module Constants
6
5
  X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
@@ -51,4 +50,4 @@ module SecureHeaders
51
50
  end
52
51
  end
53
52
  end
54
- end
53
+ end
@@ -1,3 +1,3 @@
1
1
  module SecureHeaders
2
- VERSION = "0.4.3"
2
+ VERSION = "0.5.0"
3
3
  end
@@ -5,32 +5,11 @@ module SecureHeaders
5
5
  specify{ StrictTransportSecurity.new.name.should == "Strict-Transport-Security" }
6
6
 
7
7
  describe "#value" do
8
- it "sets Strict Transport Security headers" do
9
- s = StrictTransportSecurity.new
10
- s.value.should == StrictTransportSecurity::Constants::DEFAULT_VALUE
11
- end
12
-
13
- it "allows you to specify includeSubdomains" do
14
- s = StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
15
- s.value.should == "max-age=#{HSTS_MAX_AGE}; includeSubdomains"
16
- end
17
-
18
- it "accepts a string value and returns verbatim" do
19
- s = StrictTransportSecurity.new('max-age=1234')
20
- s.value.should == "max-age=1234"
21
- end
22
-
23
- it "allows you to specify max-age" do
24
- age = '8675309'
25
- s = StrictTransportSecurity.new(:max_age => age)
26
- s.value.should == "max-age=#{age}"
27
- end
28
-
29
- it "allows you to specify max-age as a Fixnum" do
30
- age = 8675309
31
- s = StrictTransportSecurity.new(:max_age => age)
32
- s.value.should == "max-age=#{age}"
33
- end
8
+ specify { StrictTransportSecurity.new.value.should == StrictTransportSecurity::Constants::DEFAULT_VALUE}
9
+ specify { StrictTransportSecurity.new("max-age=1234").value.should == "max-age=1234"}
10
+ specify { StrictTransportSecurity.new(:max_age => '1234').value.should == "max-age=1234"}
11
+ specify { StrictTransportSecurity.new(:max_age => 1234).value.should == "max-age=1234"}
12
+ specify { StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value.should == "max-age=#{HSTS_MAX_AGE}; includeSubdomains"}
34
13
 
35
14
  context "with an invalid configuration" do
36
15
  context "with a hash argument" do
@@ -2,7 +2,7 @@ require 'spec_helper'
2
2
 
3
3
  module SecureHeaders
4
4
  describe XFrameOptions do
5
- specify{ XFrameOptions.new.name.should == "X-FRAME-OPTIONS" }
5
+ specify{ XFrameOptions.new.name.should == "X-Frame-Options" }
6
6
 
7
7
  describe "#value" do
8
8
  specify { XFrameOptions.new.value.should == XFrameOptions::Constants::DEFAULT_VALUE}
@@ -80,10 +80,8 @@ describe SecureHeaders do
80
80
  it "sets all default headers for #{name} (smoke test)" do
81
81
  stub_user_agent(useragent)
82
82
  number_of_headers = case name
83
- when :ie
83
+ when :ie, :chrome
84
84
  5
85
- when :opera
86
- 4
87
85
  when :ios5, :safari5
88
86
  3 # csp breaks these browsers
89
87
  else
@@ -99,29 +97,28 @@ describe SecureHeaders do
99
97
  end
100
98
  end
101
99
 
102
- it "does not set the X-Content-Type-Options when disabled" do
100
+ it "does not set the X-Content-Type-Options header if disabled" do
103
101
  stub_user_agent(USER_AGENTS[:ie])
104
102
  should_not_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME)
105
103
  subject.set_x_content_type_options_header(false)
106
104
  end
107
105
 
108
- it "does not set the X-XSS-PROTECTION when disabled" do
109
- stub_user_agent(USER_AGENTS[:ie])
106
+ it "does not set the X-XSS-Protection header if disabled" do
110
107
  should_not_assign_header(X_XSS_PROTECTION_HEADER_NAME)
111
108
  subject.set_x_xss_protection_header(false)
112
109
  end
113
110
 
114
- it "does not set the X-FRAME-OPTIONS header if disabled" do
111
+ it "does not set the X-Frame-Options header if disabled" do
115
112
  should_not_assign_header(XFO_HEADER_NAME)
116
113
  subject.set_x_frame_options_header(false)
117
114
  end
118
115
 
119
- it "does not set the hsts header if disabled" do
116
+ it "does not set the HSTS header if disabled" do
120
117
  should_not_assign_header(HSTS_HEADER_NAME)
121
118
  subject.set_hsts_header(false)
122
119
  end
123
120
 
124
- it "does not set the hsts header the request is over HTTP" do
121
+ it "does not set the HSTS header if request is over HTTP" do
125
122
  subject.stub_chain(:request, :ssl?).and_return(false)
126
123
  should_not_assign_header(HSTS_HEADER_NAME)
127
124
  subject.set_hsts_header({:include_subdomains => true})
@@ -142,7 +139,7 @@ describe SecureHeaders do
142
139
  end
143
140
 
144
141
  context "when disabled by configuration settings" do
145
- it "does not set the X-Content-Type-Options when disabled" do
142
+ it "does not set any headers when disabled" do
146
143
  ::SecureHeaders::Configuration.configure do |config|
147
144
  config.hsts = false
148
145
  config.x_frame_options = false
@@ -158,48 +155,67 @@ describe SecureHeaders do
158
155
  end
159
156
 
160
157
  describe "#set_x_frame_options_header" do
161
- it "sets the X-FRAME-OPTIONS header" do
158
+ it "sets the X-Frame-Options header" do
162
159
  should_assign_header(XFO_HEADER_NAME, SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
163
160
  subject.set_x_frame_options_header
164
161
  end
165
162
 
166
- it "allows a custom X-FRAME-OPTIONS header" do
163
+ it "allows a custom X-Frame-Options header" do
167
164
  should_assign_header(XFO_HEADER_NAME, "DENY")
168
165
  subject.set_x_frame_options_header(:value => 'DENY')
169
166
  end
170
167
  end
171
168
 
172
- context "when using IE" do
173
- before(:each) do
174
- stub_user_agent(USER_AGENTS[:ie])
169
+ describe "#set_strict_transport_security" do
170
+ it "sets the Strict-Transport-Security header" do
171
+ should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
172
+ subject.set_hsts_header
175
173
  end
176
174
 
177
- describe "#set_x_xss_protection" do
178
- it "sets the XSS protection header" do
179
- should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1')
180
- subject.set_x_xss_protection_header
181
- end
175
+ it "allows you to specific a custom max-age value" do
176
+ should_assign_header(HSTS_HEADER_NAME, 'max-age=1234')
177
+ subject.set_hsts_header(:max_age => 1234)
178
+ end
182
179
 
183
- it "sets a custom X-XSS-PROTECTION header" do
184
- should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '0')
185
- subject.set_x_xss_protection_header("0")
186
- end
180
+ it "allows you to specify includeSubdomains" do
181
+ should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
182
+ subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
183
+ end
184
+ end
187
185
 
188
- it "sets the block flag" do
189
- should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1; mode=block')
190
- subject.set_x_xss_protection_header(:mode => 'block', :value => 1)
191
- end
186
+ describe "#set_x_xss_protection" do
187
+ it "sets the X-XSS-Protection header" do
188
+ should_assign_header(X_XSS_PROTECTION_HEADER_NAME, SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
189
+ subject.set_x_xss_protection_header
192
190
  end
193
191
 
194
- describe "#set_x_content_type_options" do
195
- it "sets the X-Content-Type-Options" do
196
- should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
197
- subject.set_x_content_type_options_header
198
- end
192
+ it "sets a custom X-XSS-Protection header" do
193
+ should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '0')
194
+ subject.set_x_xss_protection_header("0")
195
+ end
196
+
197
+ it "sets the block flag" do
198
+ should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1; mode=block')
199
+ subject.set_x_xss_protection_header(:mode => 'block', :value => 1)
200
+ end
201
+ end
199
202
 
200
- it "lets you override X-Content-Type-Options" do
201
- should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
202
- subject.set_x_content_type_options_header(:value => 'nosniff')
203
+ describe "#set_x_content_type_options" do
204
+ [:ie, :chrome].each do |useragent|
205
+ context "when using #{useragent}" do
206
+ before(:each) do
207
+ stub_user_agent(USER_AGENTS[useragent])
208
+ end
209
+
210
+ it "sets the X-Content-Type-Options header" do
211
+ should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
212
+ subject.set_x_content_type_options_header
213
+ end
214
+
215
+ it "lets you override X-Content-Type-Options" do
216
+ should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
217
+ subject.set_x_content_type_options_header(:value => 'nosniff')
218
+ end
203
219
  end
204
220
  end
205
221
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.3
4
+ version: 0.5.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-05-07 00:00:00.000000000 Z
12
+ date: 2013-05-21 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: brwsr
@@ -190,7 +190,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
190
190
  version: '0'
191
191
  requirements: []
192
192
  rubyforge_project:
193
- rubygems_version: 1.8.24
193
+ rubygems_version: 1.8.25
194
194
  signing_key:
195
195
  specification_version: 3
196
196
  summary: Add easily configured browser headers to responses including content security