secure_headers 1.1.1 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +15 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +2 -0
- data/Gemfile +0 -4
- data/Guardfile +1 -5
- data/HISTORY.md +12 -0
- data/README.md +55 -26
- data/fixtures/rails_3_2_12/Gemfile +0 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +10 -14
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -2
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
- data/lib/secure_headers/headers/content_security_policy.rb +39 -34
- data/lib/secure_headers/padrino.rb +14 -0
- data/lib/secure_headers/version.rb +1 -1
- data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +105 -85
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +20 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +18 -18
- data/spec/lib/secure_headers_spec.rb +11 -11
- data/spec/spec_helper.rb +9 -24
- metadata +8 -12
- data/.rvmrc +0 -1
- data/fixtures/rails_3_2_12/Guardfile +0 -14
- data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
|
@@ -2,34 +2,34 @@ require 'spec_helper'
|
|
|
2
2
|
|
|
3
3
|
module SecureHeaders
|
|
4
4
|
describe XFrameOptions do
|
|
5
|
-
specify{ XFrameOptions.new.name.
|
|
5
|
+
specify{ expect(XFrameOptions.new.name).to eq("X-Frame-Options") }
|
|
6
6
|
|
|
7
7
|
describe "#value" do
|
|
8
|
-
specify { XFrameOptions.new.value.
|
|
9
|
-
specify { XFrameOptions.new("SAMEORIGIN").value.
|
|
10
|
-
specify { XFrameOptions.new(:value => 'DENY').value.
|
|
8
|
+
specify { expect(XFrameOptions.new.value).to eq(XFrameOptions::Constants::DEFAULT_VALUE)}
|
|
9
|
+
specify { expect(XFrameOptions.new("SAMEORIGIN").value).to eq("SAMEORIGIN")}
|
|
10
|
+
specify { expect(XFrameOptions.new(:value => 'DENY').value).to eq("DENY")}
|
|
11
11
|
|
|
12
12
|
context "with invalid configuration" do
|
|
13
13
|
it "allows SAMEORIGIN" do
|
|
14
|
-
|
|
14
|
+
expect {
|
|
15
15
|
XFrameOptions.new("SAMEORIGIN").value
|
|
16
|
-
}.
|
|
16
|
+
}.not_to raise_error
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
it "allows DENY" do
|
|
20
|
-
|
|
20
|
+
expect {
|
|
21
21
|
XFrameOptions.new("DENY").value
|
|
22
|
-
}.
|
|
22
|
+
}.not_to raise_error end
|
|
23
23
|
|
|
24
24
|
it "allows ALLOW-FROM*" do
|
|
25
|
-
|
|
25
|
+
expect {
|
|
26
26
|
XFrameOptions.new("ALLOW-FROM: example.com").value
|
|
27
|
-
}.
|
|
27
|
+
}.not_to raise_error
|
|
28
28
|
end
|
|
29
29
|
it "does not allow garbage" do
|
|
30
|
-
|
|
30
|
+
expect {
|
|
31
31
|
XFrameOptions.new("I like turtles").value
|
|
32
|
-
}.
|
|
32
|
+
}.to raise_error(XFOBuildError)
|
|
33
33
|
end
|
|
34
34
|
end
|
|
35
35
|
end
|
|
@@ -1,50 +1,50 @@
|
|
|
1
1
|
module SecureHeaders
|
|
2
2
|
describe XXssProtection do
|
|
3
|
-
specify { XXssProtection.new.name.
|
|
4
|
-
specify { XXssProtection.new.value.
|
|
5
|
-
specify { XXssProtection.new("0").value.
|
|
6
|
-
specify { XXssProtection.new(:value => 1, :mode => 'block').value.
|
|
3
|
+
specify { expect(XXssProtection.new.name).to eq(X_XSS_PROTECTION_HEADER_NAME)}
|
|
4
|
+
specify { expect(XXssProtection.new.value).to eq("1")}
|
|
5
|
+
specify { expect(XXssProtection.new("0").value).to eq("0")}
|
|
6
|
+
specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') }
|
|
7
7
|
|
|
8
8
|
context "with invalid configuration" do
|
|
9
9
|
it "should raise an error when providing a string that is not valid" do
|
|
10
|
-
|
|
10
|
+
expect {
|
|
11
11
|
XXssProtection.new("asdf")
|
|
12
|
-
}.
|
|
12
|
+
}.to raise_error(XXssProtectionBuildError)
|
|
13
13
|
|
|
14
|
-
|
|
14
|
+
expect {
|
|
15
15
|
XXssProtection.new("asdf; mode=donkey")
|
|
16
|
-
}.
|
|
16
|
+
}.to raise_error(XXssProtectionBuildError)
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
context "when using a hash value" do
|
|
20
20
|
it "should allow string values ('1' or '0' are the only valid strings)" do
|
|
21
|
-
|
|
21
|
+
expect {
|
|
22
22
|
XXssProtection.new(:value => '1')
|
|
23
|
-
}.
|
|
23
|
+
}.not_to raise_error
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
it "should allow integer values (1 or 0 are the only valid integers)" do
|
|
27
|
-
|
|
27
|
+
expect {
|
|
28
28
|
XXssProtection.new(:value => 1)
|
|
29
|
-
}.
|
|
29
|
+
}.not_to raise_error
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
it "should raise an error if no value key is supplied" do
|
|
33
|
-
|
|
33
|
+
expect {
|
|
34
34
|
XXssProtection.new(:mode => 'block')
|
|
35
|
-
}.
|
|
35
|
+
}.to raise_error(XXssProtectionBuildError)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
it "should raise an error if an invalid key is supplied" do
|
|
39
|
-
|
|
39
|
+
expect {
|
|
40
40
|
XXssProtection.new(:value => 123)
|
|
41
|
-
}.
|
|
41
|
+
}.to raise_error(XXssProtectionBuildError)
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
it "should raise an error if mode != block" do
|
|
45
|
-
|
|
45
|
+
expect {
|
|
46
46
|
XXssProtection.new(:value => 1, :mode => "donkey")
|
|
47
|
-
}.
|
|
47
|
+
}.to raise_error(XXssProtectionBuildError)
|
|
48
48
|
end
|
|
49
49
|
end
|
|
50
50
|
|
|
@@ -13,9 +13,9 @@ describe SecureHeaders do
|
|
|
13
13
|
|
|
14
14
|
before(:each) do
|
|
15
15
|
stub_user_agent(nil)
|
|
16
|
-
headers.
|
|
17
|
-
subject.
|
|
18
|
-
subject.
|
|
16
|
+
allow(headers).to receive(:[])
|
|
17
|
+
allow(subject).to receive(:response).and_return(response)
|
|
18
|
+
allow(subject).to receive(:request).and_return(request)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
|
|
@@ -32,15 +32,15 @@ describe SecureHeaders do
|
|
|
32
32
|
}
|
|
33
33
|
|
|
34
34
|
def should_assign_header name, value
|
|
35
|
-
response.headers.
|
|
35
|
+
expect(response.headers).to receive(:[]=).with(name, value)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
def should_not_assign_header name
|
|
39
|
-
response.headers.
|
|
39
|
+
expect(response.headers).not_to receive(:[]=).with(name, anything)
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
def stub_user_agent val
|
|
43
|
-
request.
|
|
43
|
+
allow(request).to receive_message_chain(:env, :[]).and_return(val)
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
def options_for header
|
|
@@ -68,7 +68,7 @@ describe SecureHeaders do
|
|
|
68
68
|
describe "#ensure_security_headers" do
|
|
69
69
|
it "sets a before filter" do
|
|
70
70
|
options = {}
|
|
71
|
-
DummyClass.
|
|
71
|
+
expect(DummyClass).to receive(:before_filter).exactly(5).times
|
|
72
72
|
DummyClass.ensure_security_headers(options)
|
|
73
73
|
end
|
|
74
74
|
end
|
|
@@ -87,13 +87,13 @@ describe SecureHeaders do
|
|
|
87
87
|
|
|
88
88
|
describe "#set_security_headers" do
|
|
89
89
|
before(:each) do
|
|
90
|
-
SecureHeaders::ContentSecurityPolicy.
|
|
90
|
+
allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
|
|
91
91
|
end
|
|
92
92
|
USER_AGENTS.each do |name, useragent|
|
|
93
93
|
it "sets all default headers for #{name} (smoke test)" do
|
|
94
94
|
stub_user_agent(useragent)
|
|
95
95
|
number_of_headers = 5
|
|
96
|
-
subject.
|
|
96
|
+
expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
|
|
97
97
|
subject.set_csp_header
|
|
98
98
|
subject.set_x_frame_options_header
|
|
99
99
|
subject.set_hsts_header
|
|
@@ -124,7 +124,7 @@ describe SecureHeaders do
|
|
|
124
124
|
end
|
|
125
125
|
|
|
126
126
|
it "does not set the HSTS header if request is over HTTP" do
|
|
127
|
-
subject.
|
|
127
|
+
allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
|
|
128
128
|
should_not_assign_header(HSTS_HEADER_NAME)
|
|
129
129
|
subject.set_hsts_header({:include_subdomains => true})
|
|
130
130
|
end
|
|
@@ -144,7 +144,7 @@ describe SecureHeaders do
|
|
|
144
144
|
config.x_xss_protection = false
|
|
145
145
|
config.csp = false
|
|
146
146
|
end
|
|
147
|
-
subject.
|
|
147
|
+
expect(subject).not_to receive(:set_header)
|
|
148
148
|
set_security_headers(subject)
|
|
149
149
|
reset_config
|
|
150
150
|
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -1,25 +1,10 @@
|
|
|
1
1
|
require 'rubygems'
|
|
2
|
-
require '
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
Spork.prefork do
|
|
12
|
-
require 'pry'
|
|
13
|
-
require 'rspec'
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
Spork.each_run do
|
|
17
|
-
require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
|
|
18
|
-
require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
|
|
19
|
-
include ::SecureHeaders::StrictTransportSecurity::Constants
|
|
20
|
-
include ::SecureHeaders::ContentSecurityPolicy::Constants
|
|
21
|
-
include ::SecureHeaders::XFrameOptions::Constants
|
|
22
|
-
include ::SecureHeaders::XXssProtection::Constants
|
|
23
|
-
include ::SecureHeaders::XContentTypeOptions::Constants
|
|
24
|
-
end
|
|
25
|
-
|
|
2
|
+
require 'rspec'
|
|
3
|
+
|
|
4
|
+
require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
|
|
5
|
+
require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
|
|
6
|
+
include ::SecureHeaders::StrictTransportSecurity::Constants
|
|
7
|
+
include ::SecureHeaders::ContentSecurityPolicy::Constants
|
|
8
|
+
include ::SecureHeaders::XFrameOptions::Constants
|
|
9
|
+
include ::SecureHeaders::XXssProtection::Constants
|
|
10
|
+
include ::SecureHeaders::XContentTypeOptions::Constants
|
metadata
CHANGED
|
@@ -1,20 +1,18 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
5
|
-
prerelease:
|
|
4
|
+
version: 1.3.0
|
|
6
5
|
platform: ruby
|
|
7
6
|
authors:
|
|
8
7
|
- Neil Matatall
|
|
9
8
|
autorequire:
|
|
10
9
|
bindir: bin
|
|
11
10
|
cert_chain: []
|
|
12
|
-
date:
|
|
11
|
+
date: 2014-08-09 00:00:00.000000000 Z
|
|
13
12
|
dependencies:
|
|
14
13
|
- !ruby/object:Gem::Dependency
|
|
15
14
|
name: rake
|
|
16
15
|
requirement: !ruby/object:Gem::Requirement
|
|
17
|
-
none: false
|
|
18
16
|
requirements:
|
|
19
17
|
- - ! '>='
|
|
20
18
|
- !ruby/object:Gem::Version
|
|
@@ -22,7 +20,6 @@ dependencies:
|
|
|
22
20
|
type: :development
|
|
23
21
|
prerelease: false
|
|
24
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
-
none: false
|
|
26
23
|
requirements:
|
|
27
24
|
- - ! '>='
|
|
28
25
|
- !ruby/object:Gem::Version
|
|
@@ -35,7 +32,8 @@ extensions: []
|
|
|
35
32
|
extra_rdoc_files: []
|
|
36
33
|
files:
|
|
37
34
|
- .gitignore
|
|
38
|
-
- .
|
|
35
|
+
- .ruby-gemset
|
|
36
|
+
- .ruby-version
|
|
39
37
|
- .travis.yml
|
|
40
38
|
- Gemfile
|
|
41
39
|
- Guardfile
|
|
@@ -48,7 +46,6 @@ files:
|
|
|
48
46
|
- config/routes.rb
|
|
49
47
|
- fixtures/rails_3_2_12/.rspec
|
|
50
48
|
- fixtures/rails_3_2_12/Gemfile
|
|
51
|
-
- fixtures/rails_3_2_12/Guardfile
|
|
52
49
|
- fixtures/rails_3_2_12/README.rdoc
|
|
53
50
|
- fixtures/rails_3_2_12/Rakefile
|
|
54
51
|
- fixtures/rails_3_2_12/app/controllers/application_controller.rb
|
|
@@ -89,7 +86,6 @@ files:
|
|
|
89
86
|
- fixtures/rails_3_2_12/vendor/plugins/.gitkeep
|
|
90
87
|
- fixtures/rails_3_2_12_no_init/.rspec
|
|
91
88
|
- fixtures/rails_3_2_12_no_init/Gemfile
|
|
92
|
-
- fixtures/rails_3_2_12_no_init/Guardfile
|
|
93
89
|
- fixtures/rails_3_2_12_no_init/README.rdoc
|
|
94
90
|
- fixtures/rails_3_2_12_no_init/Rakefile
|
|
95
91
|
- fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
|
|
@@ -138,6 +134,7 @@ files:
|
|
|
138
134
|
- lib/secure_headers/headers/x_content_type_options.rb
|
|
139
135
|
- lib/secure_headers/headers/x_frame_options.rb
|
|
140
136
|
- lib/secure_headers/headers/x_xss_protection.rb
|
|
137
|
+
- lib/secure_headers/padrino.rb
|
|
141
138
|
- lib/secure_headers/railtie.rb
|
|
142
139
|
- lib/secure_headers/version.rb
|
|
143
140
|
- secure_headers.gemspec
|
|
@@ -153,27 +150,26 @@ files:
|
|
|
153
150
|
homepage: https://github.com/twitter/secureheaders
|
|
154
151
|
licenses:
|
|
155
152
|
- Apache Public License 2.0
|
|
153
|
+
metadata: {}
|
|
156
154
|
post_install_message:
|
|
157
155
|
rdoc_options: []
|
|
158
156
|
require_paths:
|
|
159
157
|
- lib
|
|
160
158
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
161
|
-
none: false
|
|
162
159
|
requirements:
|
|
163
160
|
- - ! '>='
|
|
164
161
|
- !ruby/object:Gem::Version
|
|
165
162
|
version: '0'
|
|
166
163
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
167
|
-
none: false
|
|
168
164
|
requirements:
|
|
169
165
|
- - ! '>='
|
|
170
166
|
- !ruby/object:Gem::Version
|
|
171
167
|
version: '0'
|
|
172
168
|
requirements: []
|
|
173
169
|
rubyforge_project:
|
|
174
|
-
rubygems_version: 1.
|
|
170
|
+
rubygems_version: 2.1.1
|
|
175
171
|
signing_key:
|
|
176
|
-
specification_version:
|
|
172
|
+
specification_version: 4
|
|
177
173
|
summary: Add easily configured browser headers to responses including content security
|
|
178
174
|
policy, x-frame-options, strict-transport-security and more.
|
|
179
175
|
test_files:
|
data/.rvmrc
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
rvm use 1.9.3@secureheaders --create
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
guard 'spork', :rspec_port => 1234, :aggressive_kill => false do
|
|
2
|
-
watch('spec/spec_helper.rb') { :rspec }
|
|
3
|
-
end
|
|
4
|
-
|
|
5
|
-
guard 'rspec', :cli => "--color --drb --drb-port 1234", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
|
|
6
|
-
watch(%r{^spec/.+_spec\.rb$})
|
|
7
|
-
watch('../../../lib')
|
|
8
|
-
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
|
9
|
-
watch('spec/spec_helper.rb') { "spec" }
|
|
10
|
-
watch(%r{^app/controllers/(.+)_(controller)\.rb$}) { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
|
|
11
|
-
watch(%r{^spec/support/(.+)\.rb$}) { "spec" }
|
|
12
|
-
watch('app/controllers/application_controller.rb') { "spec/controllers" }
|
|
13
|
-
end
|
|
14
|
-
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
guard 'spork', :rspec_port => 1235, :aggressive_kill => false do
|
|
2
|
-
watch('spec/spec_helper.rb') { :rspec }
|
|
3
|
-
end
|
|
4
|
-
|
|
5
|
-
guard 'rspec', :cli => "--color --drb --drb-port 1235", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
|
|
6
|
-
watch(%r{^spec/.+_spec\.rb$})
|
|
7
|
-
watch('../../../lib')
|
|
8
|
-
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
|
9
|
-
watch('spec/spec_helper.rb') { "spec" }
|
|
10
|
-
watch(%r{^app/controllers/(.+)_(controller)\.rb$}) { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
|
|
11
|
-
watch(%r{^spec/support/(.+)\.rb$}) { "spec" }
|
|
12
|
-
watch('app/controllers/application_controller.rb') { "spec/controllers" }
|
|
13
|
-
end
|
|
14
|
-
|