secure_headers 0.4.3 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- data/HISTORY.md +5 -0
- data/README.md +2 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +2 -2
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +11 -6
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +12 -7
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +11 -6
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +11 -6
- data/lib/secure_headers.rb +1 -2
- data/lib/secure_headers/headers/x_frame_options.rb +3 -3
- data/lib/secure_headers/headers/x_xss_protection.rb +1 -2
- data/lib/secure_headers/version.rb +1 -1
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +5 -26
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +1 -1
- data/spec/lib/secure_headers_spec.rb +52 -36
- metadata +3 -3
data/HISTORY.md
CHANGED
data/README.md
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
The gem will automatically apply several headers that are related to security. This includes:
|
4
4
|
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 1.1 Specification](https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
|
5
5
|
- HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. [HSTS Specification](https://tools.ietf.org/html/rfc6797)
|
6
|
-
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-
|
6
|
+
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
|
7
7
|
- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
|
8
8
|
- X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
|
9
9
|
|
@@ -101,7 +101,7 @@ header will be constructed using the supplied options.
|
|
101
101
|
### Widely supported
|
102
102
|
|
103
103
|
```ruby
|
104
|
-
:hsts => {:max_age => 631138519, :
|
104
|
+
:hsts => {:max_age => 631138519, :include_subdomains => true}
|
105
105
|
:x_frame_options => {:value => 'SAMEORIGIN'}
|
106
106
|
:x_xss_protection => {:value => 1, :mode => false} # set the :mode option to 'block' to enforce the browser's xss filter
|
107
107
|
```
|
@@ -2,7 +2,7 @@
|
|
2
2
|
config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
|
3
3
|
config.x_frame_options = 'SAMEORIGIN'
|
4
4
|
config.x_content_type_options = "nosniff"
|
5
|
-
config.x_xss_protection = {:value => 1, :mode => '
|
5
|
+
config.x_xss_protection = {:value => 1, :mode => 'block'}
|
6
6
|
csp = {
|
7
7
|
:default_src => "self",
|
8
8
|
:disable_chrome_extension => true,
|
@@ -12,4 +12,4 @@
|
|
12
12
|
}
|
13
13
|
|
14
14
|
config.csp = csp
|
15
|
-
end
|
15
|
+
end
|
@@ -7,14 +7,14 @@ describe OtherThingsController do
|
|
7
7
|
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
8
8
|
end
|
9
9
|
|
10
|
-
it "sets the X-XSS-
|
10
|
+
it "sets the X-XSS-Protection header" do
|
11
11
|
get :index
|
12
|
-
response.headers['X-XSS-Protection'].should == '1; mode=
|
12
|
+
response.headers['X-XSS-Protection'].should == '1; mode=block'
|
13
13
|
end
|
14
14
|
|
15
|
-
it "sets the X-
|
15
|
+
it "sets the X-Frame-Options header" do
|
16
16
|
get :index
|
17
|
-
response.headers['X-
|
17
|
+
response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
|
18
18
|
end
|
19
19
|
|
20
20
|
it "sets the X-WebKit-CSP header" do
|
@@ -23,14 +23,19 @@ describe OtherThingsController do
|
|
23
23
|
end
|
24
24
|
|
25
25
|
#mock ssl
|
26
|
-
it "sets the
|
26
|
+
it "sets the Strict-Transport-Security header" do
|
27
27
|
request.env['HTTPS'] = 'on'
|
28
28
|
get :index
|
29
29
|
response.headers['Strict-Transport-Security'].should == "max-age=315576000"
|
30
30
|
end
|
31
31
|
|
32
|
+
it "sets the X-Content-Type-Options header" do
|
33
|
+
get :index
|
34
|
+
response.headers['X-Content-Type-Options'].should == "nosniff"
|
35
|
+
end
|
36
|
+
|
32
37
|
context "using IE" do
|
33
|
-
it "sets the X-
|
38
|
+
it "sets the X-Content-Type-Options header" do
|
34
39
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
35
40
|
get :index
|
36
41
|
response.headers['X-Content-Type-Options'].should == "nosniff"
|
@@ -11,14 +11,14 @@ describe ThingsController do
|
|
11
11
|
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
12
12
|
end
|
13
13
|
|
14
|
-
it "sets the X-XSS-
|
14
|
+
it "sets the X-XSS-Protection header" do
|
15
15
|
get :index
|
16
|
-
response.headers['X-XSS-Protection'].should == '1; mode=
|
16
|
+
response.headers['X-XSS-Protection'].should == '1; mode=block'
|
17
17
|
end
|
18
18
|
|
19
|
-
it "sets the X-
|
19
|
+
it "sets the X-Frame-Options header" do
|
20
20
|
get :index
|
21
|
-
response.headers['X-
|
21
|
+
response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
|
22
22
|
end
|
23
23
|
|
24
24
|
it "sets the X-WebKit-CSP header" do
|
@@ -27,14 +27,19 @@ describe ThingsController do
|
|
27
27
|
end
|
28
28
|
|
29
29
|
#mock ssl
|
30
|
-
it "sets the
|
30
|
+
it "sets the Strict-Transport-Security header" do
|
31
31
|
request.env['HTTPS'] = 'on'
|
32
32
|
get :index
|
33
33
|
response.headers['Strict-Transport-Security'].should == "max-age=315576000"
|
34
34
|
end
|
35
35
|
|
36
|
+
it "sets the X-Content-Type-Options header" do
|
37
|
+
get :index
|
38
|
+
response.headers['X-Content-Type-Options'].should == "nosniff"
|
39
|
+
end
|
40
|
+
|
36
41
|
context "using IE" do
|
37
|
-
it "sets the X-
|
42
|
+
it "sets the X-Content-Type-Options header" do
|
38
43
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
39
44
|
get :index
|
40
45
|
response.headers['X-Content-Type-Options'].should == "nosniff"
|
@@ -44,4 +49,4 @@ describe ThingsController do
|
|
44
49
|
end
|
45
50
|
|
46
51
|
|
47
|
-
# response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; report-uri somewhere"
|
52
|
+
# response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; report-uri somewhere"
|
@@ -7,14 +7,14 @@ describe OtherThingsController do
|
|
7
7
|
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
8
8
|
end
|
9
9
|
|
10
|
-
it "sets the X-XSS-
|
10
|
+
it "sets the X-XSS-Protection header" do
|
11
11
|
get :index
|
12
12
|
response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
|
13
13
|
end
|
14
14
|
|
15
|
-
it "sets the X-
|
15
|
+
it "sets the X-Frame-Options header" do
|
16
16
|
get :index
|
17
|
-
response.headers['X-
|
17
|
+
response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
|
18
18
|
end
|
19
19
|
|
20
20
|
it "sets the X-WebKit-CSP header" do
|
@@ -23,17 +23,22 @@ describe OtherThingsController do
|
|
23
23
|
end
|
24
24
|
|
25
25
|
#mock ssl
|
26
|
-
it "sets the
|
26
|
+
it "sets the Strict-Transport-Security header" do
|
27
27
|
request.env['HTTPS'] = 'on'
|
28
28
|
get :index
|
29
29
|
response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
|
30
30
|
end
|
31
31
|
|
32
|
+
it "sets the X-Content-Type-Options header" do
|
33
|
+
get :index
|
34
|
+
response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
|
35
|
+
end
|
36
|
+
|
32
37
|
context "using IE" do
|
33
|
-
it "sets the X-
|
38
|
+
it "sets the X-Content-Type-Options header" do
|
34
39
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
35
40
|
get :index
|
36
|
-
response.headers['X-Content-Type-Options'].should ==
|
41
|
+
response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
|
37
42
|
end
|
38
43
|
end
|
39
44
|
end
|
@@ -11,14 +11,14 @@ describe ThingsController do
|
|
11
11
|
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
12
12
|
end
|
13
13
|
|
14
|
-
it "sets the X-XSS-
|
14
|
+
it "sets the X-XSS-Protection header" do
|
15
15
|
get :index
|
16
16
|
response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
|
17
17
|
end
|
18
18
|
|
19
|
-
it "sets the X-
|
19
|
+
it "sets the X-Frame-Options header" do
|
20
20
|
get :index
|
21
|
-
response.headers['X-
|
21
|
+
response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
|
22
22
|
end
|
23
23
|
|
24
24
|
it "sets the X-WebKit-CSP header" do
|
@@ -27,17 +27,22 @@ describe ThingsController do
|
|
27
27
|
end
|
28
28
|
|
29
29
|
#mock ssl
|
30
|
-
it "sets the
|
30
|
+
it "sets the Strict-Transport-Security header" do
|
31
31
|
request.env['HTTPS'] = 'on'
|
32
32
|
get :index
|
33
33
|
response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
|
34
34
|
end
|
35
35
|
|
36
|
+
it "sets the X-Content-Type-Options header" do
|
37
|
+
get :index
|
38
|
+
response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
|
39
|
+
end
|
40
|
+
|
36
41
|
context "using IE" do
|
37
|
-
it "sets the X-
|
42
|
+
it "sets the X-Content-Type-Options header" do
|
38
43
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
39
44
|
get :index
|
40
|
-
response.headers['X-Content-Type-Options'].should ==
|
45
|
+
response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
|
41
46
|
end
|
42
47
|
end
|
43
48
|
end
|
data/lib/secure_headers.rb
CHANGED
@@ -85,7 +85,7 @@ module SecureHeaders
|
|
85
85
|
end
|
86
86
|
|
87
87
|
def set_x_content_type_options_header(options=self.class.secure_headers_options[:x_content_type_options])
|
88
|
-
return unless brwsr.ie?
|
88
|
+
return unless brwsr.ie? || brwsr.chrome?
|
89
89
|
set_a_header(:x_content_type_options, XContentTypeOptions, options)
|
90
90
|
end
|
91
91
|
|
@@ -113,7 +113,6 @@ module SecureHeaders
|
|
113
113
|
end
|
114
114
|
|
115
115
|
def broken_implementation?(browser)
|
116
|
-
#IOS 5 sometimes refuses to load external resources even when whitelisted with CSP
|
117
116
|
return browser.ios5? || (browser.safari? && browser.version == 5)
|
118
117
|
end
|
119
118
|
end
|
@@ -2,9 +2,9 @@ module SecureHeaders
|
|
2
2
|
class XFOBuildError < StandardError; end
|
3
3
|
class XFrameOptions
|
4
4
|
module Constants
|
5
|
-
XFO_HEADER_NAME = "X-
|
5
|
+
XFO_HEADER_NAME = "X-Frame-Options"
|
6
6
|
DEFAULT_VALUE = 'SAMEORIGIN'
|
7
|
-
VALID_XFO_HEADER = /\A(SAMEORIGIN\z|DENY\z|ALLOW-FROM
|
7
|
+
VALID_XFO_HEADER = /\A(SAMEORIGIN\z|DENY\z|ALLOW-FROM[:\s])/i
|
8
8
|
end
|
9
9
|
include Constants
|
10
10
|
|
@@ -37,4 +37,4 @@ module SecureHeaders
|
|
37
37
|
end
|
38
38
|
end
|
39
39
|
end
|
40
|
-
end
|
40
|
+
end
|
@@ -5,32 +5,11 @@ module SecureHeaders
|
|
5
5
|
specify{ StrictTransportSecurity.new.name.should == "Strict-Transport-Security" }
|
6
6
|
|
7
7
|
describe "#value" do
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
it "allows you to specify includeSubdomains" do
|
14
|
-
s = StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
|
15
|
-
s.value.should == "max-age=#{HSTS_MAX_AGE}; includeSubdomains"
|
16
|
-
end
|
17
|
-
|
18
|
-
it "accepts a string value and returns verbatim" do
|
19
|
-
s = StrictTransportSecurity.new('max-age=1234')
|
20
|
-
s.value.should == "max-age=1234"
|
21
|
-
end
|
22
|
-
|
23
|
-
it "allows you to specify max-age" do
|
24
|
-
age = '8675309'
|
25
|
-
s = StrictTransportSecurity.new(:max_age => age)
|
26
|
-
s.value.should == "max-age=#{age}"
|
27
|
-
end
|
28
|
-
|
29
|
-
it "allows you to specify max-age as a Fixnum" do
|
30
|
-
age = 8675309
|
31
|
-
s = StrictTransportSecurity.new(:max_age => age)
|
32
|
-
s.value.should == "max-age=#{age}"
|
33
|
-
end
|
8
|
+
specify { StrictTransportSecurity.new.value.should == StrictTransportSecurity::Constants::DEFAULT_VALUE}
|
9
|
+
specify { StrictTransportSecurity.new("max-age=1234").value.should == "max-age=1234"}
|
10
|
+
specify { StrictTransportSecurity.new(:max_age => '1234').value.should == "max-age=1234"}
|
11
|
+
specify { StrictTransportSecurity.new(:max_age => 1234).value.should == "max-age=1234"}
|
12
|
+
specify { StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value.should == "max-age=#{HSTS_MAX_AGE}; includeSubdomains"}
|
34
13
|
|
35
14
|
context "with an invalid configuration" do
|
36
15
|
context "with a hash argument" do
|
@@ -2,7 +2,7 @@ require 'spec_helper'
|
|
2
2
|
|
3
3
|
module SecureHeaders
|
4
4
|
describe XFrameOptions do
|
5
|
-
specify{ XFrameOptions.new.name.should == "X-
|
5
|
+
specify{ XFrameOptions.new.name.should == "X-Frame-Options" }
|
6
6
|
|
7
7
|
describe "#value" do
|
8
8
|
specify { XFrameOptions.new.value.should == XFrameOptions::Constants::DEFAULT_VALUE}
|
@@ -80,10 +80,8 @@ describe SecureHeaders do
|
|
80
80
|
it "sets all default headers for #{name} (smoke test)" do
|
81
81
|
stub_user_agent(useragent)
|
82
82
|
number_of_headers = case name
|
83
|
-
when :ie
|
83
|
+
when :ie, :chrome
|
84
84
|
5
|
85
|
-
when :opera
|
86
|
-
4
|
87
85
|
when :ios5, :safari5
|
88
86
|
3 # csp breaks these browsers
|
89
87
|
else
|
@@ -99,29 +97,28 @@ describe SecureHeaders do
|
|
99
97
|
end
|
100
98
|
end
|
101
99
|
|
102
|
-
it "does not set the X-Content-Type-Options
|
100
|
+
it "does not set the X-Content-Type-Options header if disabled" do
|
103
101
|
stub_user_agent(USER_AGENTS[:ie])
|
104
102
|
should_not_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME)
|
105
103
|
subject.set_x_content_type_options_header(false)
|
106
104
|
end
|
107
105
|
|
108
|
-
it "does not set the X-XSS-
|
109
|
-
stub_user_agent(USER_AGENTS[:ie])
|
106
|
+
it "does not set the X-XSS-Protection header if disabled" do
|
110
107
|
should_not_assign_header(X_XSS_PROTECTION_HEADER_NAME)
|
111
108
|
subject.set_x_xss_protection_header(false)
|
112
109
|
end
|
113
110
|
|
114
|
-
it "does not set the X-
|
111
|
+
it "does not set the X-Frame-Options header if disabled" do
|
115
112
|
should_not_assign_header(XFO_HEADER_NAME)
|
116
113
|
subject.set_x_frame_options_header(false)
|
117
114
|
end
|
118
115
|
|
119
|
-
it "does not set the
|
116
|
+
it "does not set the HSTS header if disabled" do
|
120
117
|
should_not_assign_header(HSTS_HEADER_NAME)
|
121
118
|
subject.set_hsts_header(false)
|
122
119
|
end
|
123
120
|
|
124
|
-
it "does not set the
|
121
|
+
it "does not set the HSTS header if request is over HTTP" do
|
125
122
|
subject.stub_chain(:request, :ssl?).and_return(false)
|
126
123
|
should_not_assign_header(HSTS_HEADER_NAME)
|
127
124
|
subject.set_hsts_header({:include_subdomains => true})
|
@@ -142,7 +139,7 @@ describe SecureHeaders do
|
|
142
139
|
end
|
143
140
|
|
144
141
|
context "when disabled by configuration settings" do
|
145
|
-
it "does not set
|
142
|
+
it "does not set any headers when disabled" do
|
146
143
|
::SecureHeaders::Configuration.configure do |config|
|
147
144
|
config.hsts = false
|
148
145
|
config.x_frame_options = false
|
@@ -158,48 +155,67 @@ describe SecureHeaders do
|
|
158
155
|
end
|
159
156
|
|
160
157
|
describe "#set_x_frame_options_header" do
|
161
|
-
it "sets the X-
|
158
|
+
it "sets the X-Frame-Options header" do
|
162
159
|
should_assign_header(XFO_HEADER_NAME, SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
|
163
160
|
subject.set_x_frame_options_header
|
164
161
|
end
|
165
162
|
|
166
|
-
it "allows a custom X-
|
163
|
+
it "allows a custom X-Frame-Options header" do
|
167
164
|
should_assign_header(XFO_HEADER_NAME, "DENY")
|
168
165
|
subject.set_x_frame_options_header(:value => 'DENY')
|
169
166
|
end
|
170
167
|
end
|
171
168
|
|
172
|
-
|
173
|
-
|
174
|
-
|
169
|
+
describe "#set_strict_transport_security" do
|
170
|
+
it "sets the Strict-Transport-Security header" do
|
171
|
+
should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
172
|
+
subject.set_hsts_header
|
175
173
|
end
|
176
174
|
|
177
|
-
|
178
|
-
|
179
|
-
|
180
|
-
|
181
|
-
end
|
175
|
+
it "allows you to specific a custom max-age value" do
|
176
|
+
should_assign_header(HSTS_HEADER_NAME, 'max-age=1234')
|
177
|
+
subject.set_hsts_header(:max_age => 1234)
|
178
|
+
end
|
182
179
|
|
183
|
-
|
184
|
-
|
185
|
-
|
186
|
-
|
180
|
+
it "allows you to specify includeSubdomains" do
|
181
|
+
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
|
182
|
+
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
|
183
|
+
end
|
184
|
+
end
|
187
185
|
|
188
|
-
|
189
|
-
|
190
|
-
|
191
|
-
|
186
|
+
describe "#set_x_xss_protection" do
|
187
|
+
it "sets the X-XSS-Protection header" do
|
188
|
+
should_assign_header(X_XSS_PROTECTION_HEADER_NAME, SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
|
189
|
+
subject.set_x_xss_protection_header
|
192
190
|
end
|
193
191
|
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
|
192
|
+
it "sets a custom X-XSS-Protection header" do
|
193
|
+
should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '0')
|
194
|
+
subject.set_x_xss_protection_header("0")
|
195
|
+
end
|
196
|
+
|
197
|
+
it "sets the block flag" do
|
198
|
+
should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1; mode=block')
|
199
|
+
subject.set_x_xss_protection_header(:mode => 'block', :value => 1)
|
200
|
+
end
|
201
|
+
end
|
199
202
|
|
200
|
-
|
201
|
-
|
202
|
-
|
203
|
+
describe "#set_x_content_type_options" do
|
204
|
+
[:ie, :chrome].each do |useragent|
|
205
|
+
context "when using #{useragent}" do
|
206
|
+
before(:each) do
|
207
|
+
stub_user_agent(USER_AGENTS[useragent])
|
208
|
+
end
|
209
|
+
|
210
|
+
it "sets the X-Content-Type-Options header" do
|
211
|
+
should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
212
|
+
subject.set_x_content_type_options_header
|
213
|
+
end
|
214
|
+
|
215
|
+
it "lets you override X-Content-Type-Options" do
|
216
|
+
should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
|
217
|
+
subject.set_x_content_type_options_header(:value => 'nosniff')
|
218
|
+
end
|
203
219
|
end
|
204
220
|
end
|
205
221
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.5.0
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-05-
|
12
|
+
date: 2013-05-21 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: brwsr
|
@@ -190,7 +190,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
190
190
|
version: '0'
|
191
191
|
requirements: []
|
192
192
|
rubyforge_project:
|
193
|
-
rubygems_version: 1.8.
|
193
|
+
rubygems_version: 1.8.25
|
194
194
|
signing_key:
|
195
195
|
specification_version: 3
|
196
196
|
summary: Add easily configured browser headers to responses including content security
|