secure_headers 1.1.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (26) hide show
  1. checksums.yaml +15 -0
  2. data/.ruby-gemset +1 -0
  3. data/.ruby-version +1 -0
  4. data/.travis.yml +2 -0
  5. data/Gemfile +0 -2
  6. data/Guardfile +1 -5
  7. data/HISTORY.md +16 -0
  8. data/README.md +18 -15
  9. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +7 -12
  10. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +7 -12
  11. data/fixtures/rails_3_2_12/spec/spec_helper.rb +0 -1
  12. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +7 -12
  13. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +7 -12
  14. data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +0 -1
  15. data/lib/secure_headers/headers/content_security_policy.rb +15 -20
  16. data/lib/secure_headers/version.rb +1 -1
  17. data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
  18. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +77 -85
  19. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +20 -20
  20. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
  21. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
  22. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +18 -18
  23. data/spec/lib/secure_headers_spec.rb +11 -11
  24. data/spec/spec_helper.rb +0 -1
  25. metadata +7 -10
  26. data/.rvmrc +0 -1
data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb CHANGED
@@ -1,33 +1,33 @@
1
1
  module SecureHeaders
2
2
  describe XContentTypeOptions do
3
- specify{ XContentTypeOptions.new.name.should == "X-Content-Type-Options" }
3
+ specify{ expect(XContentTypeOptions.new.name).to eq("X-Content-Type-Options") }
4
4
 
5
5
  describe "#value" do
6
- specify { XContentTypeOptions.new.value.should == XContentTypeOptions::Constants::DEFAULT_VALUE}
7
- specify { XContentTypeOptions.new("nosniff").value.should == "nosniff"}
8
- specify { XContentTypeOptions.new(:value => 'nosniff').value.should == "nosniff"}
6
+ specify { expect(XContentTypeOptions.new.value).to eq(XContentTypeOptions::Constants::DEFAULT_VALUE)}
7
+ specify { expect(XContentTypeOptions.new("nosniff").value).to eq("nosniff")}
8
+ specify { expect(XContentTypeOptions.new(:value => 'nosniff').value).to eq("nosniff")}
9
9
 
10
10
  context "invalid configuration values" do
11
11
  it "accepts nosniff" do
12
- lambda {
12
+ expect {
13
13
  XContentTypeOptions.new("nosniff")
14
- }.should_not raise_error
14
+ }.not_to raise_error
15
15
 
16
- lambda {
16
+ expect {
17
17
  XContentTypeOptions.new(:value => "nosniff")
18
- }.should_not raise_error
18
+ }.not_to raise_error
19
19
  end
20
20
 
21
21
  it "accepts nil" do
22
- lambda {
22
+ expect {
23
23
  XContentTypeOptions.new
24
- }.should_not raise_error
24
+ }.not_to raise_error
25
25
  end
26
26
 
27
27
  it "doesn't accept anything besides no-sniff" do
28
- lambda {
28
+ expect {
29
29
  XContentTypeOptions.new("donkey")
30
- }.should raise_error
30
+ }.to raise_error
31
31
  end
32
32
  end
33
33
  end
data/spec/lib/secure_headers/headers/x_frame_options_spec.rb CHANGED
@@ -2,34 +2,34 @@ require 'spec_helper'
2
2
 
3
3
  module SecureHeaders
4
4
  describe XFrameOptions do
5
- specify{ XFrameOptions.new.name.should == "X-Frame-Options" }
5
+ specify{ expect(XFrameOptions.new.name).to eq("X-Frame-Options") }
6
6
 
7
7
  describe "#value" do
8
- specify { XFrameOptions.new.value.should == XFrameOptions::Constants::DEFAULT_VALUE}
9
- specify { XFrameOptions.new("SAMEORIGIN").value.should == "SAMEORIGIN"}
10
- specify { XFrameOptions.new(:value => 'DENY').value.should == "DENY"}
8
+ specify { expect(XFrameOptions.new.value).to eq(XFrameOptions::Constants::DEFAULT_VALUE)}
9
+ specify { expect(XFrameOptions.new("SAMEORIGIN").value).to eq("SAMEORIGIN")}
10
+ specify { expect(XFrameOptions.new(:value => 'DENY').value).to eq("DENY")}
11
11
 
12
12
  context "with invalid configuration" do
13
13
  it "allows SAMEORIGIN" do
14
- lambda {
14
+ expect {
15
15
  XFrameOptions.new("SAMEORIGIN").value
16
- }.should_not raise_error
16
+ }.not_to raise_error
17
17
  end
18
18
 
19
19
  it "allows DENY" do
20
- lambda {
20
+ expect {
21
21
  XFrameOptions.new("DENY").value
22
- }.should_not raise_error end
22
+ }.not_to raise_error end
23
23
 
24
24
  it "allows ALLOW-FROM*" do
25
- lambda {
25
+ expect {
26
26
  XFrameOptions.new("ALLOW-FROM: example.com").value
27
- }.should_not raise_error
27
+ }.not_to raise_error
28
28
  end
29
29
  it "does not allow garbage" do
30
- lambda {
30
+ expect {
31
31
  XFrameOptions.new("I like turtles").value
32
- }.should raise_error(XFOBuildError)
32
+ }.to raise_error(XFOBuildError)
33
33
  end
34
34
  end
35
35
  end
data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb CHANGED
@@ -1,50 +1,50 @@
1
1
  module SecureHeaders
2
2
  describe XXssProtection do
3
- specify { XXssProtection.new.name.should == X_XSS_PROTECTION_HEADER_NAME}
4
- specify { XXssProtection.new.value.should == "1"}
5
- specify { XXssProtection.new("0").value.should == "0"}
6
- specify { XXssProtection.new(:value => 1, :mode => 'block').value.should == '1; mode=block' }
3
+ specify { expect(XXssProtection.new.name).to eq(X_XSS_PROTECTION_HEADER_NAME)}
4
+ specify { expect(XXssProtection.new.value).to eq("1")}
5
+ specify { expect(XXssProtection.new("0").value).to eq("0")}
6
+ specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') }
7
7
 
8
8
  context "with invalid configuration" do
9
9
  it "should raise an error when providing a string that is not valid" do
10
- lambda {
10
+ expect {
11
11
  XXssProtection.new("asdf")
12
- }.should raise_error(XXssProtectionBuildError)
12
+ }.to raise_error(XXssProtectionBuildError)
13
13
 
14
- lambda {
14
+ expect {
15
15
  XXssProtection.new("asdf; mode=donkey")
16
- }.should raise_error(XXssProtectionBuildError)
16
+ }.to raise_error(XXssProtectionBuildError)
17
17
  end
18
18
 
19
19
  context "when using a hash value" do
20
20
  it "should allow string values ('1' or '0' are the only valid strings)" do
21
- lambda {
21
+ expect {
22
22
  XXssProtection.new(:value => '1')
23
- }.should_not raise_error
23
+ }.not_to raise_error
24
24
  end
25
25
 
26
26
  it "should allow integer values (1 or 0 are the only valid integers)" do
27
- lambda {
27
+ expect {
28
28
  XXssProtection.new(:value => 1)
29
- }.should_not raise_error
29
+ }.not_to raise_error
30
30
  end
31
31
 
32
32
  it "should raise an error if no value key is supplied" do
33
- lambda {
33
+ expect {
34
34
  XXssProtection.new(:mode => 'block')
35
- }.should raise_error(XXssProtectionBuildError)
35
+ }.to raise_error(XXssProtectionBuildError)
36
36
  end
37
37
 
38
38
  it "should raise an error if an invalid key is supplied" do
39
- lambda {
39
+ expect {
40
40
  XXssProtection.new(:value => 123)
41
- }.should raise_error(XXssProtectionBuildError)
41
+ }.to raise_error(XXssProtectionBuildError)
42
42
  end
43
43
 
44
44
  it "should raise an error if mode != block" do
45
- lambda {
45
+ expect {
46
46
  XXssProtection.new(:value => 1, :mode => "donkey")
47
- }.should raise_error(XXssProtectionBuildError)
47
+ }.to raise_error(XXssProtectionBuildError)
48
48
  end
49
49
  end
50
50
 
data/spec/lib/secure_headers_spec.rb CHANGED
@@ -13,9 +13,9 @@ describe SecureHeaders do
13
13
 
14
14
  before(:each) do
15
15
  stub_user_agent(nil)
16
- headers.stub(:[])
17
- subject.stub(:response).and_return(response)
18
- subject.stub(:request).and_return(request)
16
+ allow(headers).to receive(:[])
17
+ allow(subject).to receive(:response).and_return(response)
18
+ allow(subject).to receive(:request).and_return(request)
19
19
  end
20
20
 
21
21
  ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
@@ -32,15 +32,15 @@ describe SecureHeaders do
32
32
  }
33
33
 
34
34
  def should_assign_header name, value
35
- response.headers.should_receive(:[]=).with(name, value)
35
+ expect(response.headers).to receive(:[]=).with(name, value)
36
36
  end
37
37
 
38
38
  def should_not_assign_header name
39
- response.headers.should_not_receive(:[]=).with(name, anything)
39
+ expect(response.headers).not_to receive(:[]=).with(name, anything)
40
40
  end
41
41
 
42
42
  def stub_user_agent val
43
- request.stub_chain(:env, :[]).and_return(val)
43
+ allow(request).to receive_message_chain(:env, :[]).and_return(val)
44
44
  end
45
45
 
46
46
  def options_for header
@@ -68,7 +68,7 @@ describe SecureHeaders do
68
68
  describe "#ensure_security_headers" do
69
69
  it "sets a before filter" do
70
70
  options = {}
71
- DummyClass.should_receive(:before_filter).exactly(5).times
71
+ expect(DummyClass).to receive(:before_filter).exactly(5).times
72
72
  DummyClass.ensure_security_headers(options)
73
73
  end
74
74
  end
@@ -87,13 +87,13 @@ describe SecureHeaders do
87
87
 
88
88
  describe "#set_security_headers" do
89
89
  before(:each) do
90
- SecureHeaders::ContentSecurityPolicy.stub(:new).and_return(double.as_null_object)
90
+ allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
91
91
  end
92
92
  USER_AGENTS.each do |name, useragent|
93
93
  it "sets all default headers for #{name} (smoke test)" do
94
94
  stub_user_agent(useragent)
95
95
  number_of_headers = 5
96
- subject.should_receive(:set_header).exactly(number_of_headers).times # a request for a given header
96
+ expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
97
97
  subject.set_csp_header
98
98
  subject.set_x_frame_options_header
99
99
  subject.set_hsts_header
@@ -124,7 +124,7 @@ describe SecureHeaders do
124
124
  end
125
125
 
126
126
  it "does not set the HSTS header if request is over HTTP" do
127
- subject.stub_chain(:request, :ssl?).and_return(false)
127
+ allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
128
128
  should_not_assign_header(HSTS_HEADER_NAME)
129
129
  subject.set_hsts_header({:include_subdomains => true})
130
130
  end
@@ -144,7 +144,7 @@ describe SecureHeaders do
144
144
  config.x_xss_protection = false
145
145
  config.csp = false
146
146
  end
147
- subject.should_not_receive(:set_header)
147
+ expect(subject).not_to receive(:set_header)
148
148
  set_security_headers(subject)
149
149
  reset_config
150
150
  end
data/spec/spec_helper.rb CHANGED
@@ -9,7 +9,6 @@ unless Spork.using_spork?
9
9
  end
10
10
 
11
11
  Spork.prefork do
12
- require 'pry'
13
12
  require 'rspec'
14
13
  end
15
14
 
metadata CHANGED
@@ -1,20 +1,18 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.1
5
- prerelease:
4
+ version: 1.2.0
6
5
  platform: ruby
7
6
  authors:
8
7
  - Neil Matatall
9
8
  autorequire:
10
9
  bindir: bin
11
10
  cert_chain: []
12
- date: 2013-12-19 00:00:00.000000000 Z
11
+ date: 2014-06-13 00:00:00.000000000 Z
13
12
  dependencies:
14
13
  - !ruby/object:Gem::Dependency
15
14
  name: rake
16
15
  requirement: !ruby/object:Gem::Requirement
17
- none: false
18
16
  requirements:
19
17
  - - ! '>='
20
18
  - !ruby/object:Gem::Version
@@ -22,7 +20,6 @@ dependencies:
22
20
  type: :development
23
21
  prerelease: false
24
22
  version_requirements: !ruby/object:Gem::Requirement
25
- none: false
26
23
  requirements:
27
24
  - - ! '>='
28
25
  - !ruby/object:Gem::Version
@@ -35,7 +32,8 @@ extensions: []
35
32
  extra_rdoc_files: []
36
33
  files:
37
34
  - .gitignore
38
- - .rvmrc
35
+ - .ruby-gemset
36
+ - .ruby-version
39
37
  - .travis.yml
40
38
  - Gemfile
41
39
  - Guardfile
@@ -153,27 +151,26 @@ files:
153
151
  homepage: https://github.com/twitter/secureheaders
154
152
  licenses:
155
153
  - Apache Public License 2.0
154
+ metadata: {}
156
155
  post_install_message:
157
156
  rdoc_options: []
158
157
  require_paths:
159
158
  - lib
160
159
  required_ruby_version: !ruby/object:Gem::Requirement
161
- none: false
162
160
  requirements:
163
161
  - - ! '>='
164
162
  - !ruby/object:Gem::Version
165
163
  version: '0'
166
164
  required_rubygems_version: !ruby/object:Gem::Requirement
167
- none: false
168
165
  requirements:
169
166
  - - ! '>='
170
167
  - !ruby/object:Gem::Version
171
168
  version: '0'
172
169
  requirements: []
173
170
  rubyforge_project:
174
- rubygems_version: 1.8.25
171
+ rubygems_version: 2.2.2
175
172
  signing_key:
176
- specification_version: 3
173
+ specification_version: 4
177
174
  summary: Add easily configured browser headers to responses including content security
178
175
  policy, x-frame-options, strict-transport-security and more.
179
176
  test_files:
data/.rvmrc DELETED
@@ -1 +0,0 @@
1
- rvm use 1.9.3@secureheaders --create