secure_headers 1.1.1 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. checksums.yaml +15 -0
  2. data/.ruby-gemset +1 -0
  3. data/.ruby-version +1 -0
  4. data/.travis.yml +2 -0
  5. data/Gemfile +0 -4
  6. data/Guardfile +1 -5
  7. data/HISTORY.md +12 -0
  8. data/README.md +55 -26
  9. data/fixtures/rails_3_2_12/Gemfile +0 -2
  10. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -0
  11. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +10 -14
  12. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +7 -12
  13. data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
  14. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -2
  15. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +7 -12
  16. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +7 -12
  17. data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
  18. data/lib/secure_headers/headers/content_security_policy.rb +39 -34
  19. data/lib/secure_headers/padrino.rb +14 -0
  20. data/lib/secure_headers/version.rb +1 -1
  21. data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
  22. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +105 -85
  23. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +20 -20
  24. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
  25. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
  26. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +18 -18
  27. data/spec/lib/secure_headers_spec.rb +11 -11
  28. data/spec/spec_helper.rb +9 -24
  29. metadata +8 -12
  30. data/.rvmrc +0 -1
  31. data/fixtures/rails_3_2_12/Guardfile +0 -14
  32. data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
@@ -2,34 +2,34 @@ require 'spec_helper'
2
2
 
3
3
  module SecureHeaders
4
4
  describe XFrameOptions do
5
- specify{ XFrameOptions.new.name.should == "X-Frame-Options" }
5
+ specify{ expect(XFrameOptions.new.name).to eq("X-Frame-Options") }
6
6
 
7
7
  describe "#value" do
8
- specify { XFrameOptions.new.value.should == XFrameOptions::Constants::DEFAULT_VALUE}
9
- specify { XFrameOptions.new("SAMEORIGIN").value.should == "SAMEORIGIN"}
10
- specify { XFrameOptions.new(:value => 'DENY').value.should == "DENY"}
8
+ specify { expect(XFrameOptions.new.value).to eq(XFrameOptions::Constants::DEFAULT_VALUE)}
9
+ specify { expect(XFrameOptions.new("SAMEORIGIN").value).to eq("SAMEORIGIN")}
10
+ specify { expect(XFrameOptions.new(:value => 'DENY').value).to eq("DENY")}
11
11
 
12
12
  context "with invalid configuration" do
13
13
  it "allows SAMEORIGIN" do
14
- lambda {
14
+ expect {
15
15
  XFrameOptions.new("SAMEORIGIN").value
16
- }.should_not raise_error
16
+ }.not_to raise_error
17
17
  end
18
18
 
19
19
  it "allows DENY" do
20
- lambda {
20
+ expect {
21
21
  XFrameOptions.new("DENY").value
22
- }.should_not raise_error end
22
+ }.not_to raise_error end
23
23
 
24
24
  it "allows ALLOW-FROM*" do
25
- lambda {
25
+ expect {
26
26
  XFrameOptions.new("ALLOW-FROM: example.com").value
27
- }.should_not raise_error
27
+ }.not_to raise_error
28
28
  end
29
29
  it "does not allow garbage" do
30
- lambda {
30
+ expect {
31
31
  XFrameOptions.new("I like turtles").value
32
- }.should raise_error(XFOBuildError)
32
+ }.to raise_error(XFOBuildError)
33
33
  end
34
34
  end
35
35
  end
@@ -1,50 +1,50 @@
1
1
  module SecureHeaders
2
2
  describe XXssProtection do
3
- specify { XXssProtection.new.name.should == X_XSS_PROTECTION_HEADER_NAME}
4
- specify { XXssProtection.new.value.should == "1"}
5
- specify { XXssProtection.new("0").value.should == "0"}
6
- specify { XXssProtection.new(:value => 1, :mode => 'block').value.should == '1; mode=block' }
3
+ specify { expect(XXssProtection.new.name).to eq(X_XSS_PROTECTION_HEADER_NAME)}
4
+ specify { expect(XXssProtection.new.value).to eq("1")}
5
+ specify { expect(XXssProtection.new("0").value).to eq("0")}
6
+ specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') }
7
7
 
8
8
  context "with invalid configuration" do
9
9
  it "should raise an error when providing a string that is not valid" do
10
- lambda {
10
+ expect {
11
11
  XXssProtection.new("asdf")
12
- }.should raise_error(XXssProtectionBuildError)
12
+ }.to raise_error(XXssProtectionBuildError)
13
13
 
14
- lambda {
14
+ expect {
15
15
  XXssProtection.new("asdf; mode=donkey")
16
- }.should raise_error(XXssProtectionBuildError)
16
+ }.to raise_error(XXssProtectionBuildError)
17
17
  end
18
18
 
19
19
  context "when using a hash value" do
20
20
  it "should allow string values ('1' or '0' are the only valid strings)" do
21
- lambda {
21
+ expect {
22
22
  XXssProtection.new(:value => '1')
23
- }.should_not raise_error
23
+ }.not_to raise_error
24
24
  end
25
25
 
26
26
  it "should allow integer values (1 or 0 are the only valid integers)" do
27
- lambda {
27
+ expect {
28
28
  XXssProtection.new(:value => 1)
29
- }.should_not raise_error
29
+ }.not_to raise_error
30
30
  end
31
31
 
32
32
  it "should raise an error if no value key is supplied" do
33
- lambda {
33
+ expect {
34
34
  XXssProtection.new(:mode => 'block')
35
- }.should raise_error(XXssProtectionBuildError)
35
+ }.to raise_error(XXssProtectionBuildError)
36
36
  end
37
37
 
38
38
  it "should raise an error if an invalid key is supplied" do
39
- lambda {
39
+ expect {
40
40
  XXssProtection.new(:value => 123)
41
- }.should raise_error(XXssProtectionBuildError)
41
+ }.to raise_error(XXssProtectionBuildError)
42
42
  end
43
43
 
44
44
  it "should raise an error if mode != block" do
45
- lambda {
45
+ expect {
46
46
  XXssProtection.new(:value => 1, :mode => "donkey")
47
- }.should raise_error(XXssProtectionBuildError)
47
+ }.to raise_error(XXssProtectionBuildError)
48
48
  end
49
49
  end
50
50
 
@@ -13,9 +13,9 @@ describe SecureHeaders do
13
13
 
14
14
  before(:each) do
15
15
  stub_user_agent(nil)
16
- headers.stub(:[])
17
- subject.stub(:response).and_return(response)
18
- subject.stub(:request).and_return(request)
16
+ allow(headers).to receive(:[])
17
+ allow(subject).to receive(:response).and_return(response)
18
+ allow(subject).to receive(:request).and_return(request)
19
19
  end
20
20
 
21
21
  ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
@@ -32,15 +32,15 @@ describe SecureHeaders do
32
32
  }
33
33
 
34
34
  def should_assign_header name, value
35
- response.headers.should_receive(:[]=).with(name, value)
35
+ expect(response.headers).to receive(:[]=).with(name, value)
36
36
  end
37
37
 
38
38
  def should_not_assign_header name
39
- response.headers.should_not_receive(:[]=).with(name, anything)
39
+ expect(response.headers).not_to receive(:[]=).with(name, anything)
40
40
  end
41
41
 
42
42
  def stub_user_agent val
43
- request.stub_chain(:env, :[]).and_return(val)
43
+ allow(request).to receive_message_chain(:env, :[]).and_return(val)
44
44
  end
45
45
 
46
46
  def options_for header
@@ -68,7 +68,7 @@ describe SecureHeaders do
68
68
  describe "#ensure_security_headers" do
69
69
  it "sets a before filter" do
70
70
  options = {}
71
- DummyClass.should_receive(:before_filter).exactly(5).times
71
+ expect(DummyClass).to receive(:before_filter).exactly(5).times
72
72
  DummyClass.ensure_security_headers(options)
73
73
  end
74
74
  end
@@ -87,13 +87,13 @@ describe SecureHeaders do
87
87
 
88
88
  describe "#set_security_headers" do
89
89
  before(:each) do
90
- SecureHeaders::ContentSecurityPolicy.stub(:new).and_return(double.as_null_object)
90
+ allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
91
91
  end
92
92
  USER_AGENTS.each do |name, useragent|
93
93
  it "sets all default headers for #{name} (smoke test)" do
94
94
  stub_user_agent(useragent)
95
95
  number_of_headers = 5
96
- subject.should_receive(:set_header).exactly(number_of_headers).times # a request for a given header
96
+ expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
97
97
  subject.set_csp_header
98
98
  subject.set_x_frame_options_header
99
99
  subject.set_hsts_header
@@ -124,7 +124,7 @@ describe SecureHeaders do
124
124
  end
125
125
 
126
126
  it "does not set the HSTS header if request is over HTTP" do
127
- subject.stub_chain(:request, :ssl?).and_return(false)
127
+ allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
128
128
  should_not_assign_header(HSTS_HEADER_NAME)
129
129
  subject.set_hsts_header({:include_subdomains => true})
130
130
  end
@@ -144,7 +144,7 @@ describe SecureHeaders do
144
144
  config.x_xss_protection = false
145
145
  config.csp = false
146
146
  end
147
- subject.should_not_receive(:set_header)
147
+ expect(subject).not_to receive(:set_header)
148
148
  set_security_headers(subject)
149
149
  reset_config
150
150
  end
data/spec/spec_helper.rb CHANGED
@@ -1,25 +1,10 @@
1
1
  require 'rubygems'
2
- require 'spork'
3
-
4
- unless Spork.using_spork?
5
- require 'simplecov'
6
- SimpleCov.start do
7
- add_filter "spec"
8
- end
9
- end
10
-
11
- Spork.prefork do
12
- require 'pry'
13
- require 'rspec'
14
- end
15
-
16
- Spork.each_run do
17
- require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
18
- require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
19
- include ::SecureHeaders::StrictTransportSecurity::Constants
20
- include ::SecureHeaders::ContentSecurityPolicy::Constants
21
- include ::SecureHeaders::XFrameOptions::Constants
22
- include ::SecureHeaders::XXssProtection::Constants
23
- include ::SecureHeaders::XContentTypeOptions::Constants
24
- end
25
-
2
+ require 'rspec'
3
+
4
+ require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
5
+ require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
6
+ include ::SecureHeaders::StrictTransportSecurity::Constants
7
+ include ::SecureHeaders::ContentSecurityPolicy::Constants
8
+ include ::SecureHeaders::XFrameOptions::Constants
9
+ include ::SecureHeaders::XXssProtection::Constants
10
+ include ::SecureHeaders::XContentTypeOptions::Constants
metadata CHANGED
@@ -1,20 +1,18 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.1
5
- prerelease:
4
+ version: 1.3.0
6
5
  platform: ruby
7
6
  authors:
8
7
  - Neil Matatall
9
8
  autorequire:
10
9
  bindir: bin
11
10
  cert_chain: []
12
- date: 2013-12-19 00:00:00.000000000 Z
11
+ date: 2014-08-09 00:00:00.000000000 Z
13
12
  dependencies:
14
13
  - !ruby/object:Gem::Dependency
15
14
  name: rake
16
15
  requirement: !ruby/object:Gem::Requirement
17
- none: false
18
16
  requirements:
19
17
  - - ! '>='
20
18
  - !ruby/object:Gem::Version
@@ -22,7 +20,6 @@ dependencies:
22
20
  type: :development
23
21
  prerelease: false
24
22
  version_requirements: !ruby/object:Gem::Requirement
25
- none: false
26
23
  requirements:
27
24
  - - ! '>='
28
25
  - !ruby/object:Gem::Version
@@ -35,7 +32,8 @@ extensions: []
35
32
  extra_rdoc_files: []
36
33
  files:
37
34
  - .gitignore
38
- - .rvmrc
35
+ - .ruby-gemset
36
+ - .ruby-version
39
37
  - .travis.yml
40
38
  - Gemfile
41
39
  - Guardfile
@@ -48,7 +46,6 @@ files:
48
46
  - config/routes.rb
49
47
  - fixtures/rails_3_2_12/.rspec
50
48
  - fixtures/rails_3_2_12/Gemfile
51
- - fixtures/rails_3_2_12/Guardfile
52
49
  - fixtures/rails_3_2_12/README.rdoc
53
50
  - fixtures/rails_3_2_12/Rakefile
54
51
  - fixtures/rails_3_2_12/app/controllers/application_controller.rb
@@ -89,7 +86,6 @@ files:
89
86
  - fixtures/rails_3_2_12/vendor/plugins/.gitkeep
90
87
  - fixtures/rails_3_2_12_no_init/.rspec
91
88
  - fixtures/rails_3_2_12_no_init/Gemfile
92
- - fixtures/rails_3_2_12_no_init/Guardfile
93
89
  - fixtures/rails_3_2_12_no_init/README.rdoc
94
90
  - fixtures/rails_3_2_12_no_init/Rakefile
95
91
  - fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
@@ -138,6 +134,7 @@ files:
138
134
  - lib/secure_headers/headers/x_content_type_options.rb
139
135
  - lib/secure_headers/headers/x_frame_options.rb
140
136
  - lib/secure_headers/headers/x_xss_protection.rb
137
+ - lib/secure_headers/padrino.rb
141
138
  - lib/secure_headers/railtie.rb
142
139
  - lib/secure_headers/version.rb
143
140
  - secure_headers.gemspec
@@ -153,27 +150,26 @@ files:
153
150
  homepage: https://github.com/twitter/secureheaders
154
151
  licenses:
155
152
  - Apache Public License 2.0
153
+ metadata: {}
156
154
  post_install_message:
157
155
  rdoc_options: []
158
156
  require_paths:
159
157
  - lib
160
158
  required_ruby_version: !ruby/object:Gem::Requirement
161
- none: false
162
159
  requirements:
163
160
  - - ! '>='
164
161
  - !ruby/object:Gem::Version
165
162
  version: '0'
166
163
  required_rubygems_version: !ruby/object:Gem::Requirement
167
- none: false
168
164
  requirements:
169
165
  - - ! '>='
170
166
  - !ruby/object:Gem::Version
171
167
  version: '0'
172
168
  requirements: []
173
169
  rubyforge_project:
174
- rubygems_version: 1.8.25
170
+ rubygems_version: 2.1.1
175
171
  signing_key:
176
- specification_version: 3
172
+ specification_version: 4
177
173
  summary: Add easily configured browser headers to responses including content security
178
174
  policy, x-frame-options, strict-transport-security and more.
179
175
  test_files:
data/.rvmrc DELETED
@@ -1 +0,0 @@
1
- rvm use 1.9.3@secureheaders --create
@@ -1,14 +0,0 @@
1
- guard 'spork', :rspec_port => 1234, :aggressive_kill => false do
2
- watch('spec/spec_helper.rb') { :rspec }
3
- end
4
-
5
- guard 'rspec', :cli => "--color --drb --drb-port 1234", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
6
- watch(%r{^spec/.+_spec\.rb$})
7
- watch('../../../lib')
8
- watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
9
- watch('spec/spec_helper.rb') { "spec" }
10
- watch(%r{^app/controllers/(.+)_(controller)\.rb$}) { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
11
- watch(%r{^spec/support/(.+)\.rb$}) { "spec" }
12
- watch('app/controllers/application_controller.rb') { "spec/controllers" }
13
- end
14
-
@@ -1,14 +0,0 @@
1
- guard 'spork', :rspec_port => 1235, :aggressive_kill => false do
2
- watch('spec/spec_helper.rb') { :rspec }
3
- end
4
-
5
- guard 'rspec', :cli => "--color --drb --drb-port 1235", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
6
- watch(%r{^spec/.+_spec\.rb$})
7
- watch('../../../lib')
8
- watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
9
- watch('spec/spec_helper.rb') { "spec" }
10
- watch(%r{^app/controllers/(.+)_(controller)\.rb$}) { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
11
- watch(%r{^spec/support/(.+)\.rb$}) { "spec" }
12
- watch('app/controllers/application_controller.rb') { "spec/controllers" }
13
- end
14
-