secure_headers 1.1.1 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +15 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +2 -0
- data/Gemfile +0 -2
- data/Guardfile +1 -5
- data/HISTORY.md +16 -0
- data/README.md +18 -15
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +0 -1
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +0 -1
- data/lib/secure_headers/headers/content_security_policy.rb +15 -20
- data/lib/secure_headers/version.rb +1 -1
- data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +77 -85
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +20 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +18 -18
- data/spec/lib/secure_headers_spec.rb +11 -11
- data/spec/spec_helper.rb +0 -1
- metadata +7 -10
- data/.rvmrc +0 -1
@@ -1,33 +1,33 @@
|
|
1
1
|
module SecureHeaders
|
2
2
|
describe XContentTypeOptions do
|
3
|
-
specify{ XContentTypeOptions.new.name.
|
3
|
+
specify{ expect(XContentTypeOptions.new.name).to eq("X-Content-Type-Options") }
|
4
4
|
|
5
5
|
describe "#value" do
|
6
|
-
specify { XContentTypeOptions.new.value.
|
7
|
-
specify { XContentTypeOptions.new("nosniff").value.
|
8
|
-
specify { XContentTypeOptions.new(:value => 'nosniff').value.
|
6
|
+
specify { expect(XContentTypeOptions.new.value).to eq(XContentTypeOptions::Constants::DEFAULT_VALUE)}
|
7
|
+
specify { expect(XContentTypeOptions.new("nosniff").value).to eq("nosniff")}
|
8
|
+
specify { expect(XContentTypeOptions.new(:value => 'nosniff').value).to eq("nosniff")}
|
9
9
|
|
10
10
|
context "invalid configuration values" do
|
11
11
|
it "accepts nosniff" do
|
12
|
-
|
12
|
+
expect {
|
13
13
|
XContentTypeOptions.new("nosniff")
|
14
|
-
}.
|
14
|
+
}.not_to raise_error
|
15
15
|
|
16
|
-
|
16
|
+
expect {
|
17
17
|
XContentTypeOptions.new(:value => "nosniff")
|
18
|
-
}.
|
18
|
+
}.not_to raise_error
|
19
19
|
end
|
20
20
|
|
21
21
|
it "accepts nil" do
|
22
|
-
|
22
|
+
expect {
|
23
23
|
XContentTypeOptions.new
|
24
|
-
}.
|
24
|
+
}.not_to raise_error
|
25
25
|
end
|
26
26
|
|
27
27
|
it "doesn't accept anything besides no-sniff" do
|
28
|
-
|
28
|
+
expect {
|
29
29
|
XContentTypeOptions.new("donkey")
|
30
|
-
}.
|
30
|
+
}.to raise_error
|
31
31
|
end
|
32
32
|
end
|
33
33
|
end
|
@@ -2,34 +2,34 @@ require 'spec_helper'
|
|
2
2
|
|
3
3
|
module SecureHeaders
|
4
4
|
describe XFrameOptions do
|
5
|
-
specify{ XFrameOptions.new.name.
|
5
|
+
specify{ expect(XFrameOptions.new.name).to eq("X-Frame-Options") }
|
6
6
|
|
7
7
|
describe "#value" do
|
8
|
-
specify { XFrameOptions.new.value.
|
9
|
-
specify { XFrameOptions.new("SAMEORIGIN").value.
|
10
|
-
specify { XFrameOptions.new(:value => 'DENY').value.
|
8
|
+
specify { expect(XFrameOptions.new.value).to eq(XFrameOptions::Constants::DEFAULT_VALUE)}
|
9
|
+
specify { expect(XFrameOptions.new("SAMEORIGIN").value).to eq("SAMEORIGIN")}
|
10
|
+
specify { expect(XFrameOptions.new(:value => 'DENY').value).to eq("DENY")}
|
11
11
|
|
12
12
|
context "with invalid configuration" do
|
13
13
|
it "allows SAMEORIGIN" do
|
14
|
-
|
14
|
+
expect {
|
15
15
|
XFrameOptions.new("SAMEORIGIN").value
|
16
|
-
}.
|
16
|
+
}.not_to raise_error
|
17
17
|
end
|
18
18
|
|
19
19
|
it "allows DENY" do
|
20
|
-
|
20
|
+
expect {
|
21
21
|
XFrameOptions.new("DENY").value
|
22
|
-
}.
|
22
|
+
}.not_to raise_error end
|
23
23
|
|
24
24
|
it "allows ALLOW-FROM*" do
|
25
|
-
|
25
|
+
expect {
|
26
26
|
XFrameOptions.new("ALLOW-FROM: example.com").value
|
27
|
-
}.
|
27
|
+
}.not_to raise_error
|
28
28
|
end
|
29
29
|
it "does not allow garbage" do
|
30
|
-
|
30
|
+
expect {
|
31
31
|
XFrameOptions.new("I like turtles").value
|
32
|
-
}.
|
32
|
+
}.to raise_error(XFOBuildError)
|
33
33
|
end
|
34
34
|
end
|
35
35
|
end
|
@@ -1,50 +1,50 @@
|
|
1
1
|
module SecureHeaders
|
2
2
|
describe XXssProtection do
|
3
|
-
specify { XXssProtection.new.name.
|
4
|
-
specify { XXssProtection.new.value.
|
5
|
-
specify { XXssProtection.new("0").value.
|
6
|
-
specify { XXssProtection.new(:value => 1, :mode => 'block').value.
|
3
|
+
specify { expect(XXssProtection.new.name).to eq(X_XSS_PROTECTION_HEADER_NAME)}
|
4
|
+
specify { expect(XXssProtection.new.value).to eq("1")}
|
5
|
+
specify { expect(XXssProtection.new("0").value).to eq("0")}
|
6
|
+
specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') }
|
7
7
|
|
8
8
|
context "with invalid configuration" do
|
9
9
|
it "should raise an error when providing a string that is not valid" do
|
10
|
-
|
10
|
+
expect {
|
11
11
|
XXssProtection.new("asdf")
|
12
|
-
}.
|
12
|
+
}.to raise_error(XXssProtectionBuildError)
|
13
13
|
|
14
|
-
|
14
|
+
expect {
|
15
15
|
XXssProtection.new("asdf; mode=donkey")
|
16
|
-
}.
|
16
|
+
}.to raise_error(XXssProtectionBuildError)
|
17
17
|
end
|
18
18
|
|
19
19
|
context "when using a hash value" do
|
20
20
|
it "should allow string values ('1' or '0' are the only valid strings)" do
|
21
|
-
|
21
|
+
expect {
|
22
22
|
XXssProtection.new(:value => '1')
|
23
|
-
}.
|
23
|
+
}.not_to raise_error
|
24
24
|
end
|
25
25
|
|
26
26
|
it "should allow integer values (1 or 0 are the only valid integers)" do
|
27
|
-
|
27
|
+
expect {
|
28
28
|
XXssProtection.new(:value => 1)
|
29
|
-
}.
|
29
|
+
}.not_to raise_error
|
30
30
|
end
|
31
31
|
|
32
32
|
it "should raise an error if no value key is supplied" do
|
33
|
-
|
33
|
+
expect {
|
34
34
|
XXssProtection.new(:mode => 'block')
|
35
|
-
}.
|
35
|
+
}.to raise_error(XXssProtectionBuildError)
|
36
36
|
end
|
37
37
|
|
38
38
|
it "should raise an error if an invalid key is supplied" do
|
39
|
-
|
39
|
+
expect {
|
40
40
|
XXssProtection.new(:value => 123)
|
41
|
-
}.
|
41
|
+
}.to raise_error(XXssProtectionBuildError)
|
42
42
|
end
|
43
43
|
|
44
44
|
it "should raise an error if mode != block" do
|
45
|
-
|
45
|
+
expect {
|
46
46
|
XXssProtection.new(:value => 1, :mode => "donkey")
|
47
|
-
}.
|
47
|
+
}.to raise_error(XXssProtectionBuildError)
|
48
48
|
end
|
49
49
|
end
|
50
50
|
|
@@ -13,9 +13,9 @@ describe SecureHeaders do
|
|
13
13
|
|
14
14
|
before(:each) do
|
15
15
|
stub_user_agent(nil)
|
16
|
-
headers.
|
17
|
-
subject.
|
18
|
-
subject.
|
16
|
+
allow(headers).to receive(:[])
|
17
|
+
allow(subject).to receive(:response).and_return(response)
|
18
|
+
allow(subject).to receive(:request).and_return(request)
|
19
19
|
end
|
20
20
|
|
21
21
|
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
|
@@ -32,15 +32,15 @@ describe SecureHeaders do
|
|
32
32
|
}
|
33
33
|
|
34
34
|
def should_assign_header name, value
|
35
|
-
response.headers.
|
35
|
+
expect(response.headers).to receive(:[]=).with(name, value)
|
36
36
|
end
|
37
37
|
|
38
38
|
def should_not_assign_header name
|
39
|
-
response.headers.
|
39
|
+
expect(response.headers).not_to receive(:[]=).with(name, anything)
|
40
40
|
end
|
41
41
|
|
42
42
|
def stub_user_agent val
|
43
|
-
request.
|
43
|
+
allow(request).to receive_message_chain(:env, :[]).and_return(val)
|
44
44
|
end
|
45
45
|
|
46
46
|
def options_for header
|
@@ -68,7 +68,7 @@ describe SecureHeaders do
|
|
68
68
|
describe "#ensure_security_headers" do
|
69
69
|
it "sets a before filter" do
|
70
70
|
options = {}
|
71
|
-
DummyClass.
|
71
|
+
expect(DummyClass).to receive(:before_filter).exactly(5).times
|
72
72
|
DummyClass.ensure_security_headers(options)
|
73
73
|
end
|
74
74
|
end
|
@@ -87,13 +87,13 @@ describe SecureHeaders do
|
|
87
87
|
|
88
88
|
describe "#set_security_headers" do
|
89
89
|
before(:each) do
|
90
|
-
SecureHeaders::ContentSecurityPolicy.
|
90
|
+
allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
|
91
91
|
end
|
92
92
|
USER_AGENTS.each do |name, useragent|
|
93
93
|
it "sets all default headers for #{name} (smoke test)" do
|
94
94
|
stub_user_agent(useragent)
|
95
95
|
number_of_headers = 5
|
96
|
-
subject.
|
96
|
+
expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
|
97
97
|
subject.set_csp_header
|
98
98
|
subject.set_x_frame_options_header
|
99
99
|
subject.set_hsts_header
|
@@ -124,7 +124,7 @@ describe SecureHeaders do
|
|
124
124
|
end
|
125
125
|
|
126
126
|
it "does not set the HSTS header if request is over HTTP" do
|
127
|
-
subject.
|
127
|
+
allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
|
128
128
|
should_not_assign_header(HSTS_HEADER_NAME)
|
129
129
|
subject.set_hsts_header({:include_subdomains => true})
|
130
130
|
end
|
@@ -144,7 +144,7 @@ describe SecureHeaders do
|
|
144
144
|
config.x_xss_protection = false
|
145
145
|
config.csp = false
|
146
146
|
end
|
147
|
-
subject.
|
147
|
+
expect(subject).not_to receive(:set_header)
|
148
148
|
set_security_headers(subject)
|
149
149
|
reset_config
|
150
150
|
end
|
data/spec/spec_helper.rb
CHANGED
metadata
CHANGED
@@ -1,20 +1,18 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
5
|
-
prerelease:
|
4
|
+
version: 1.2.0
|
6
5
|
platform: ruby
|
7
6
|
authors:
|
8
7
|
- Neil Matatall
|
9
8
|
autorequire:
|
10
9
|
bindir: bin
|
11
10
|
cert_chain: []
|
12
|
-
date:
|
11
|
+
date: 2014-06-13 00:00:00.000000000 Z
|
13
12
|
dependencies:
|
14
13
|
- !ruby/object:Gem::Dependency
|
15
14
|
name: rake
|
16
15
|
requirement: !ruby/object:Gem::Requirement
|
17
|
-
none: false
|
18
16
|
requirements:
|
19
17
|
- - ! '>='
|
20
18
|
- !ruby/object:Gem::Version
|
@@ -22,7 +20,6 @@ dependencies:
|
|
22
20
|
type: :development
|
23
21
|
prerelease: false
|
24
22
|
version_requirements: !ruby/object:Gem::Requirement
|
25
|
-
none: false
|
26
23
|
requirements:
|
27
24
|
- - ! '>='
|
28
25
|
- !ruby/object:Gem::Version
|
@@ -35,7 +32,8 @@ extensions: []
|
|
35
32
|
extra_rdoc_files: []
|
36
33
|
files:
|
37
34
|
- .gitignore
|
38
|
-
- .
|
35
|
+
- .ruby-gemset
|
36
|
+
- .ruby-version
|
39
37
|
- .travis.yml
|
40
38
|
- Gemfile
|
41
39
|
- Guardfile
|
@@ -153,27 +151,26 @@ files:
|
|
153
151
|
homepage: https://github.com/twitter/secureheaders
|
154
152
|
licenses:
|
155
153
|
- Apache Public License 2.0
|
154
|
+
metadata: {}
|
156
155
|
post_install_message:
|
157
156
|
rdoc_options: []
|
158
157
|
require_paths:
|
159
158
|
- lib
|
160
159
|
required_ruby_version: !ruby/object:Gem::Requirement
|
161
|
-
none: false
|
162
160
|
requirements:
|
163
161
|
- - ! '>='
|
164
162
|
- !ruby/object:Gem::Version
|
165
163
|
version: '0'
|
166
164
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
167
|
-
none: false
|
168
165
|
requirements:
|
169
166
|
- - ! '>='
|
170
167
|
- !ruby/object:Gem::Version
|
171
168
|
version: '0'
|
172
169
|
requirements: []
|
173
170
|
rubyforge_project:
|
174
|
-
rubygems_version:
|
171
|
+
rubygems_version: 2.2.2
|
175
172
|
signing_key:
|
176
|
-
specification_version:
|
173
|
+
specification_version: 4
|
177
174
|
summary: Add easily configured browser headers to responses including content security
|
178
175
|
policy, x-frame-options, strict-transport-security and more.
|
179
176
|
test_files:
|
data/.rvmrc
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
rvm use 1.9.3@secureheaders --create
|