secure_headers 1.1.1 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +15 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +2 -0
- data/Gemfile +0 -2
- data/Guardfile +1 -5
- data/HISTORY.md +16 -0
- data/README.md +18 -15
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +0 -1
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +0 -1
- data/lib/secure_headers/headers/content_security_policy.rb +15 -20
- data/lib/secure_headers/version.rb +1 -1
- data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +77 -85
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +20 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +18 -18
- data/spec/lib/secure_headers_spec.rb +11 -11
- data/spec/spec_helper.rb +0 -1
- metadata +7 -10
- data/.rvmrc +0 -1
@@ -1,33 +1,33 @@
|
|
1
1
|
module SecureHeaders
|
2
2
|
describe XContentTypeOptions do
|
3
|
-
specify{ XContentTypeOptions.new.name.
|
3
|
+
specify{ expect(XContentTypeOptions.new.name).to eq("X-Content-Type-Options") }
|
4
4
|
|
5
5
|
describe "#value" do
|
6
|
-
specify { XContentTypeOptions.new.value.
|
7
|
-
specify { XContentTypeOptions.new("nosniff").value.
|
8
|
-
specify { XContentTypeOptions.new(:value => 'nosniff').value.
|
6
|
+
specify { expect(XContentTypeOptions.new.value).to eq(XContentTypeOptions::Constants::DEFAULT_VALUE)}
|
7
|
+
specify { expect(XContentTypeOptions.new("nosniff").value).to eq("nosniff")}
|
8
|
+
specify { expect(XContentTypeOptions.new(:value => 'nosniff').value).to eq("nosniff")}
|
9
9
|
|
10
10
|
context "invalid configuration values" do
|
11
11
|
it "accepts nosniff" do
|
12
|
-
|
12
|
+
expect {
|
13
13
|
XContentTypeOptions.new("nosniff")
|
14
|
-
}.
|
14
|
+
}.not_to raise_error
|
15
15
|
|
16
|
-
|
16
|
+
expect {
|
17
17
|
XContentTypeOptions.new(:value => "nosniff")
|
18
|
-
}.
|
18
|
+
}.not_to raise_error
|
19
19
|
end
|
20
20
|
|
21
21
|
it "accepts nil" do
|
22
|
-
|
22
|
+
expect {
|
23
23
|
XContentTypeOptions.new
|
24
|
-
}.
|
24
|
+
}.not_to raise_error
|
25
25
|
end
|
26
26
|
|
27
27
|
it "doesn't accept anything besides no-sniff" do
|
28
|
-
|
28
|
+
expect {
|
29
29
|
XContentTypeOptions.new("donkey")
|
30
|
-
}.
|
30
|
+
}.to raise_error
|
31
31
|
end
|
32
32
|
end
|
33
33
|
end
|
@@ -2,34 +2,34 @@ require 'spec_helper'
|
|
2
2
|
|
3
3
|
module SecureHeaders
|
4
4
|
describe XFrameOptions do
|
5
|
-
specify{ XFrameOptions.new.name.
|
5
|
+
specify{ expect(XFrameOptions.new.name).to eq("X-Frame-Options") }
|
6
6
|
|
7
7
|
describe "#value" do
|
8
|
-
specify { XFrameOptions.new.value.
|
9
|
-
specify { XFrameOptions.new("SAMEORIGIN").value.
|
10
|
-
specify { XFrameOptions.new(:value => 'DENY').value.
|
8
|
+
specify { expect(XFrameOptions.new.value).to eq(XFrameOptions::Constants::DEFAULT_VALUE)}
|
9
|
+
specify { expect(XFrameOptions.new("SAMEORIGIN").value).to eq("SAMEORIGIN")}
|
10
|
+
specify { expect(XFrameOptions.new(:value => 'DENY').value).to eq("DENY")}
|
11
11
|
|
12
12
|
context "with invalid configuration" do
|
13
13
|
it "allows SAMEORIGIN" do
|
14
|
-
|
14
|
+
expect {
|
15
15
|
XFrameOptions.new("SAMEORIGIN").value
|
16
|
-
}.
|
16
|
+
}.not_to raise_error
|
17
17
|
end
|
18
18
|
|
19
19
|
it "allows DENY" do
|
20
|
-
|
20
|
+
expect {
|
21
21
|
XFrameOptions.new("DENY").value
|
22
|
-
}.
|
22
|
+
}.not_to raise_error end
|
23
23
|
|
24
24
|
it "allows ALLOW-FROM*" do
|
25
|
-
|
25
|
+
expect {
|
26
26
|
XFrameOptions.new("ALLOW-FROM: example.com").value
|
27
|
-
}.
|
27
|
+
}.not_to raise_error
|
28
28
|
end
|
29
29
|
it "does not allow garbage" do
|
30
|
-
|
30
|
+
expect {
|
31
31
|
XFrameOptions.new("I like turtles").value
|
32
|
-
}.
|
32
|
+
}.to raise_error(XFOBuildError)
|
33
33
|
end
|
34
34
|
end
|
35
35
|
end
|
@@ -1,50 +1,50 @@
|
|
1
1
|
module SecureHeaders
|
2
2
|
describe XXssProtection do
|
3
|
-
specify { XXssProtection.new.name.
|
4
|
-
specify { XXssProtection.new.value.
|
5
|
-
specify { XXssProtection.new("0").value.
|
6
|
-
specify { XXssProtection.new(:value => 1, :mode => 'block').value.
|
3
|
+
specify { expect(XXssProtection.new.name).to eq(X_XSS_PROTECTION_HEADER_NAME)}
|
4
|
+
specify { expect(XXssProtection.new.value).to eq("1")}
|
5
|
+
specify { expect(XXssProtection.new("0").value).to eq("0")}
|
6
|
+
specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') }
|
7
7
|
|
8
8
|
context "with invalid configuration" do
|
9
9
|
it "should raise an error when providing a string that is not valid" do
|
10
|
-
|
10
|
+
expect {
|
11
11
|
XXssProtection.new("asdf")
|
12
|
-
}.
|
12
|
+
}.to raise_error(XXssProtectionBuildError)
|
13
13
|
|
14
|
-
|
14
|
+
expect {
|
15
15
|
XXssProtection.new("asdf; mode=donkey")
|
16
|
-
}.
|
16
|
+
}.to raise_error(XXssProtectionBuildError)
|
17
17
|
end
|
18
18
|
|
19
19
|
context "when using a hash value" do
|
20
20
|
it "should allow string values ('1' or '0' are the only valid strings)" do
|
21
|
-
|
21
|
+
expect {
|
22
22
|
XXssProtection.new(:value => '1')
|
23
|
-
}.
|
23
|
+
}.not_to raise_error
|
24
24
|
end
|
25
25
|
|
26
26
|
it "should allow integer values (1 or 0 are the only valid integers)" do
|
27
|
-
|
27
|
+
expect {
|
28
28
|
XXssProtection.new(:value => 1)
|
29
|
-
}.
|
29
|
+
}.not_to raise_error
|
30
30
|
end
|
31
31
|
|
32
32
|
it "should raise an error if no value key is supplied" do
|
33
|
-
|
33
|
+
expect {
|
34
34
|
XXssProtection.new(:mode => 'block')
|
35
|
-
}.
|
35
|
+
}.to raise_error(XXssProtectionBuildError)
|
36
36
|
end
|
37
37
|
|
38
38
|
it "should raise an error if an invalid key is supplied" do
|
39
|
-
|
39
|
+
expect {
|
40
40
|
XXssProtection.new(:value => 123)
|
41
|
-
}.
|
41
|
+
}.to raise_error(XXssProtectionBuildError)
|
42
42
|
end
|
43
43
|
|
44
44
|
it "should raise an error if mode != block" do
|
45
|
-
|
45
|
+
expect {
|
46
46
|
XXssProtection.new(:value => 1, :mode => "donkey")
|
47
|
-
}.
|
47
|
+
}.to raise_error(XXssProtectionBuildError)
|
48
48
|
end
|
49
49
|
end
|
50
50
|
|
@@ -13,9 +13,9 @@ describe SecureHeaders do
|
|
13
13
|
|
14
14
|
before(:each) do
|
15
15
|
stub_user_agent(nil)
|
16
|
-
headers.
|
17
|
-
subject.
|
18
|
-
subject.
|
16
|
+
allow(headers).to receive(:[])
|
17
|
+
allow(subject).to receive(:response).and_return(response)
|
18
|
+
allow(subject).to receive(:request).and_return(request)
|
19
19
|
end
|
20
20
|
|
21
21
|
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
|
@@ -32,15 +32,15 @@ describe SecureHeaders do
|
|
32
32
|
}
|
33
33
|
|
34
34
|
def should_assign_header name, value
|
35
|
-
response.headers.
|
35
|
+
expect(response.headers).to receive(:[]=).with(name, value)
|
36
36
|
end
|
37
37
|
|
38
38
|
def should_not_assign_header name
|
39
|
-
response.headers.
|
39
|
+
expect(response.headers).not_to receive(:[]=).with(name, anything)
|
40
40
|
end
|
41
41
|
|
42
42
|
def stub_user_agent val
|
43
|
-
request.
|
43
|
+
allow(request).to receive_message_chain(:env, :[]).and_return(val)
|
44
44
|
end
|
45
45
|
|
46
46
|
def options_for header
|
@@ -68,7 +68,7 @@ describe SecureHeaders do
|
|
68
68
|
describe "#ensure_security_headers" do
|
69
69
|
it "sets a before filter" do
|
70
70
|
options = {}
|
71
|
-
DummyClass.
|
71
|
+
expect(DummyClass).to receive(:before_filter).exactly(5).times
|
72
72
|
DummyClass.ensure_security_headers(options)
|
73
73
|
end
|
74
74
|
end
|
@@ -87,13 +87,13 @@ describe SecureHeaders do
|
|
87
87
|
|
88
88
|
describe "#set_security_headers" do
|
89
89
|
before(:each) do
|
90
|
-
SecureHeaders::ContentSecurityPolicy.
|
90
|
+
allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
|
91
91
|
end
|
92
92
|
USER_AGENTS.each do |name, useragent|
|
93
93
|
it "sets all default headers for #{name} (smoke test)" do
|
94
94
|
stub_user_agent(useragent)
|
95
95
|
number_of_headers = 5
|
96
|
-
subject.
|
96
|
+
expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
|
97
97
|
subject.set_csp_header
|
98
98
|
subject.set_x_frame_options_header
|
99
99
|
subject.set_hsts_header
|
@@ -124,7 +124,7 @@ describe SecureHeaders do
|
|
124
124
|
end
|
125
125
|
|
126
126
|
it "does not set the HSTS header if request is over HTTP" do
|
127
|
-
subject.
|
127
|
+
allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
|
128
128
|
should_not_assign_header(HSTS_HEADER_NAME)
|
129
129
|
subject.set_hsts_header({:include_subdomains => true})
|
130
130
|
end
|
@@ -144,7 +144,7 @@ describe SecureHeaders do
|
|
144
144
|
config.x_xss_protection = false
|
145
145
|
config.csp = false
|
146
146
|
end
|
147
|
-
subject.
|
147
|
+
expect(subject).not_to receive(:set_header)
|
148
148
|
set_security_headers(subject)
|
149
149
|
reset_config
|
150
150
|
end
|
data/spec/spec_helper.rb
CHANGED
metadata
CHANGED
@@ -1,20 +1,18 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
5
|
-
prerelease:
|
4
|
+
version: 1.2.0
|
6
5
|
platform: ruby
|
7
6
|
authors:
|
8
7
|
- Neil Matatall
|
9
8
|
autorequire:
|
10
9
|
bindir: bin
|
11
10
|
cert_chain: []
|
12
|
-
date:
|
11
|
+
date: 2014-06-13 00:00:00.000000000 Z
|
13
12
|
dependencies:
|
14
13
|
- !ruby/object:Gem::Dependency
|
15
14
|
name: rake
|
16
15
|
requirement: !ruby/object:Gem::Requirement
|
17
|
-
none: false
|
18
16
|
requirements:
|
19
17
|
- - ! '>='
|
20
18
|
- !ruby/object:Gem::Version
|
@@ -22,7 +20,6 @@ dependencies:
|
|
22
20
|
type: :development
|
23
21
|
prerelease: false
|
24
22
|
version_requirements: !ruby/object:Gem::Requirement
|
25
|
-
none: false
|
26
23
|
requirements:
|
27
24
|
- - ! '>='
|
28
25
|
- !ruby/object:Gem::Version
|
@@ -35,7 +32,8 @@ extensions: []
|
|
35
32
|
extra_rdoc_files: []
|
36
33
|
files:
|
37
34
|
- .gitignore
|
38
|
-
- .
|
35
|
+
- .ruby-gemset
|
36
|
+
- .ruby-version
|
39
37
|
- .travis.yml
|
40
38
|
- Gemfile
|
41
39
|
- Guardfile
|
@@ -153,27 +151,26 @@ files:
|
|
153
151
|
homepage: https://github.com/twitter/secureheaders
|
154
152
|
licenses:
|
155
153
|
- Apache Public License 2.0
|
154
|
+
metadata: {}
|
156
155
|
post_install_message:
|
157
156
|
rdoc_options: []
|
158
157
|
require_paths:
|
159
158
|
- lib
|
160
159
|
required_ruby_version: !ruby/object:Gem::Requirement
|
161
|
-
none: false
|
162
160
|
requirements:
|
163
161
|
- - ! '>='
|
164
162
|
- !ruby/object:Gem::Version
|
165
163
|
version: '0'
|
166
164
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
167
|
-
none: false
|
168
165
|
requirements:
|
169
166
|
- - ! '>='
|
170
167
|
- !ruby/object:Gem::Version
|
171
168
|
version: '0'
|
172
169
|
requirements: []
|
173
170
|
rubyforge_project:
|
174
|
-
rubygems_version:
|
171
|
+
rubygems_version: 2.2.2
|
175
172
|
signing_key:
|
176
|
-
specification_version:
|
173
|
+
specification_version: 4
|
177
174
|
summary: Add easily configured browser headers to responses including content security
|
178
175
|
policy, x-frame-options, strict-transport-security and more.
|
179
176
|
test_files:
|
data/.rvmrc
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
rvm use 1.9.3@secureheaders --create
|