secure_headers 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +15 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +2 -0
- data/Gemfile +0 -2
- data/Guardfile +1 -5
- data/HISTORY.md +23 -0
- data/README.md +18 -15
- data/app/controllers/content_security_policy_controller.rb +22 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +0 -1
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +0 -1
- data/lib/secure_headers/headers/content_security_policy.rb +15 -20
- data/lib/secure_headers/version.rb +1 -1
- data/spec/controllers/content_security_policy_controller_spec.rb +34 -18
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +77 -85
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +20 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -13
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +18 -18
- data/spec/lib/secure_headers_spec.rb +11 -11
- data/spec/spec_helper.rb +0 -1
- metadata +7 -10
- data/.rvmrc +0 -1
|
@@ -13,9 +13,9 @@ describe SecureHeaders do
|
|
|
13
13
|
|
|
14
14
|
before(:each) do
|
|
15
15
|
stub_user_agent(nil)
|
|
16
|
-
headers.
|
|
17
|
-
subject.
|
|
18
|
-
subject.
|
|
16
|
+
allow(headers).to receive(:[])
|
|
17
|
+
allow(subject).to receive(:response).and_return(response)
|
|
18
|
+
allow(subject).to receive(:request).and_return(request)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
|
|
@@ -32,15 +32,15 @@ describe SecureHeaders do
|
|
|
32
32
|
}
|
|
33
33
|
|
|
34
34
|
def should_assign_header name, value
|
|
35
|
-
response.headers.
|
|
35
|
+
expect(response.headers).to receive(:[]=).with(name, value)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
def should_not_assign_header name
|
|
39
|
-
response.headers.
|
|
39
|
+
expect(response.headers).not_to receive(:[]=).with(name, anything)
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
def stub_user_agent val
|
|
43
|
-
request.
|
|
43
|
+
allow(request).to receive_message_chain(:env, :[]).and_return(val)
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
def options_for header
|
|
@@ -68,7 +68,7 @@ describe SecureHeaders do
|
|
|
68
68
|
describe "#ensure_security_headers" do
|
|
69
69
|
it "sets a before filter" do
|
|
70
70
|
options = {}
|
|
71
|
-
DummyClass.
|
|
71
|
+
expect(DummyClass).to receive(:before_filter).exactly(5).times
|
|
72
72
|
DummyClass.ensure_security_headers(options)
|
|
73
73
|
end
|
|
74
74
|
end
|
|
@@ -87,13 +87,13 @@ describe SecureHeaders do
|
|
|
87
87
|
|
|
88
88
|
describe "#set_security_headers" do
|
|
89
89
|
before(:each) do
|
|
90
|
-
SecureHeaders::ContentSecurityPolicy.
|
|
90
|
+
allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
|
|
91
91
|
end
|
|
92
92
|
USER_AGENTS.each do |name, useragent|
|
|
93
93
|
it "sets all default headers for #{name} (smoke test)" do
|
|
94
94
|
stub_user_agent(useragent)
|
|
95
95
|
number_of_headers = 5
|
|
96
|
-
subject.
|
|
96
|
+
expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
|
|
97
97
|
subject.set_csp_header
|
|
98
98
|
subject.set_x_frame_options_header
|
|
99
99
|
subject.set_hsts_header
|
|
@@ -124,7 +124,7 @@ describe SecureHeaders do
|
|
|
124
124
|
end
|
|
125
125
|
|
|
126
126
|
it "does not set the HSTS header if request is over HTTP" do
|
|
127
|
-
subject.
|
|
127
|
+
allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
|
|
128
128
|
should_not_assign_header(HSTS_HEADER_NAME)
|
|
129
129
|
subject.set_hsts_header({:include_subdomains => true})
|
|
130
130
|
end
|
|
@@ -144,7 +144,7 @@ describe SecureHeaders do
|
|
|
144
144
|
config.x_xss_protection = false
|
|
145
145
|
config.csp = false
|
|
146
146
|
end
|
|
147
|
-
subject.
|
|
147
|
+
expect(subject).not_to receive(:set_header)
|
|
148
148
|
set_security_headers(subject)
|
|
149
149
|
reset_config
|
|
150
150
|
end
|
data/spec/spec_helper.rb
CHANGED
metadata
CHANGED
|
@@ -1,20 +1,18 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
5
|
-
prerelease:
|
|
4
|
+
version: 1.2.0
|
|
6
5
|
platform: ruby
|
|
7
6
|
authors:
|
|
8
7
|
- Neil Matatall
|
|
9
8
|
autorequire:
|
|
10
9
|
bindir: bin
|
|
11
10
|
cert_chain: []
|
|
12
|
-
date:
|
|
11
|
+
date: 2014-06-13 00:00:00.000000000 Z
|
|
13
12
|
dependencies:
|
|
14
13
|
- !ruby/object:Gem::Dependency
|
|
15
14
|
name: rake
|
|
16
15
|
requirement: !ruby/object:Gem::Requirement
|
|
17
|
-
none: false
|
|
18
16
|
requirements:
|
|
19
17
|
- - ! '>='
|
|
20
18
|
- !ruby/object:Gem::Version
|
|
@@ -22,7 +20,6 @@ dependencies:
|
|
|
22
20
|
type: :development
|
|
23
21
|
prerelease: false
|
|
24
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
-
none: false
|
|
26
23
|
requirements:
|
|
27
24
|
- - ! '>='
|
|
28
25
|
- !ruby/object:Gem::Version
|
|
@@ -35,7 +32,8 @@ extensions: []
|
|
|
35
32
|
extra_rdoc_files: []
|
|
36
33
|
files:
|
|
37
34
|
- .gitignore
|
|
38
|
-
- .
|
|
35
|
+
- .ruby-gemset
|
|
36
|
+
- .ruby-version
|
|
39
37
|
- .travis.yml
|
|
40
38
|
- Gemfile
|
|
41
39
|
- Guardfile
|
|
@@ -153,27 +151,26 @@ files:
|
|
|
153
151
|
homepage: https://github.com/twitter/secureheaders
|
|
154
152
|
licenses:
|
|
155
153
|
- Apache Public License 2.0
|
|
154
|
+
metadata: {}
|
|
156
155
|
post_install_message:
|
|
157
156
|
rdoc_options: []
|
|
158
157
|
require_paths:
|
|
159
158
|
- lib
|
|
160
159
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
161
|
-
none: false
|
|
162
160
|
requirements:
|
|
163
161
|
- - ! '>='
|
|
164
162
|
- !ruby/object:Gem::Version
|
|
165
163
|
version: '0'
|
|
166
164
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
167
|
-
none: false
|
|
168
165
|
requirements:
|
|
169
166
|
- - ! '>='
|
|
170
167
|
- !ruby/object:Gem::Version
|
|
171
168
|
version: '0'
|
|
172
169
|
requirements: []
|
|
173
170
|
rubyforge_project:
|
|
174
|
-
rubygems_version:
|
|
171
|
+
rubygems_version: 2.2.2
|
|
175
172
|
signing_key:
|
|
176
|
-
specification_version:
|
|
173
|
+
specification_version: 4
|
|
177
174
|
summary: Add easily configured browser headers to responses including content security
|
|
178
175
|
policy, x-frame-options, strict-transport-security and more.
|
|
179
176
|
test_files:
|
data/.rvmrc
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
rvm use 1.9.3@secureheaders --create
|