secure_headers 1.1.1 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +15 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +2 -0
- data/Gemfile +0 -4
- data/Guardfile +1 -5
- data/HISTORY.md +17 -0
- data/README.md +55 -26
- data/fixtures/rails_3_2_12/Gemfile +0 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +10 -14
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -2
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +7 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
- data/lib/secure_headers/headers/content_security_policy.rb +46 -36
- data/lib/secure_headers/padrino.rb +14 -0
- data/lib/secure_headers/version.rb +1 -1
- data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +105 -85
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +20 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +18 -18
- data/spec/lib/secure_headers_spec.rb +11 -11
- data/spec/spec_helper.rb +9 -24
- metadata +8 -12
- data/.rvmrc +0 -1
- data/fixtures/rails_3_2_12/Guardfile +0 -14
- data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
|
@@ -13,9 +13,9 @@ describe SecureHeaders do
|
|
|
13
13
|
|
|
14
14
|
before(:each) do
|
|
15
15
|
stub_user_agent(nil)
|
|
16
|
-
headers.
|
|
17
|
-
subject.
|
|
18
|
-
subject.
|
|
16
|
+
allow(headers).to receive(:[])
|
|
17
|
+
allow(subject).to receive(:response).and_return(response)
|
|
18
|
+
allow(subject).to receive(:request).and_return(request)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
|
|
@@ -32,15 +32,15 @@ describe SecureHeaders do
|
|
|
32
32
|
}
|
|
33
33
|
|
|
34
34
|
def should_assign_header name, value
|
|
35
|
-
response.headers.
|
|
35
|
+
expect(response.headers).to receive(:[]=).with(name, value)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
def should_not_assign_header name
|
|
39
|
-
response.headers.
|
|
39
|
+
expect(response.headers).not_to receive(:[]=).with(name, anything)
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
def stub_user_agent val
|
|
43
|
-
request.
|
|
43
|
+
allow(request).to receive_message_chain(:env, :[]).and_return(val)
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
def options_for header
|
|
@@ -68,7 +68,7 @@ describe SecureHeaders do
|
|
|
68
68
|
describe "#ensure_security_headers" do
|
|
69
69
|
it "sets a before filter" do
|
|
70
70
|
options = {}
|
|
71
|
-
DummyClass.
|
|
71
|
+
expect(DummyClass).to receive(:before_filter).exactly(5).times
|
|
72
72
|
DummyClass.ensure_security_headers(options)
|
|
73
73
|
end
|
|
74
74
|
end
|
|
@@ -87,13 +87,13 @@ describe SecureHeaders do
|
|
|
87
87
|
|
|
88
88
|
describe "#set_security_headers" do
|
|
89
89
|
before(:each) do
|
|
90
|
-
SecureHeaders::ContentSecurityPolicy.
|
|
90
|
+
allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
|
|
91
91
|
end
|
|
92
92
|
USER_AGENTS.each do |name, useragent|
|
|
93
93
|
it "sets all default headers for #{name} (smoke test)" do
|
|
94
94
|
stub_user_agent(useragent)
|
|
95
95
|
number_of_headers = 5
|
|
96
|
-
subject.
|
|
96
|
+
expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
|
|
97
97
|
subject.set_csp_header
|
|
98
98
|
subject.set_x_frame_options_header
|
|
99
99
|
subject.set_hsts_header
|
|
@@ -124,7 +124,7 @@ describe SecureHeaders do
|
|
|
124
124
|
end
|
|
125
125
|
|
|
126
126
|
it "does not set the HSTS header if request is over HTTP" do
|
|
127
|
-
subject.
|
|
127
|
+
allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
|
|
128
128
|
should_not_assign_header(HSTS_HEADER_NAME)
|
|
129
129
|
subject.set_hsts_header({:include_subdomains => true})
|
|
130
130
|
end
|
|
@@ -144,7 +144,7 @@ describe SecureHeaders do
|
|
|
144
144
|
config.x_xss_protection = false
|
|
145
145
|
config.csp = false
|
|
146
146
|
end
|
|
147
|
-
subject.
|
|
147
|
+
expect(subject).not_to receive(:set_header)
|
|
148
148
|
set_security_headers(subject)
|
|
149
149
|
reset_config
|
|
150
150
|
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -1,25 +1,10 @@
|
|
|
1
1
|
require 'rubygems'
|
|
2
|
-
require '
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
Spork.prefork do
|
|
12
|
-
require 'pry'
|
|
13
|
-
require 'rspec'
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
Spork.each_run do
|
|
17
|
-
require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
|
|
18
|
-
require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
|
|
19
|
-
include ::SecureHeaders::StrictTransportSecurity::Constants
|
|
20
|
-
include ::SecureHeaders::ContentSecurityPolicy::Constants
|
|
21
|
-
include ::SecureHeaders::XFrameOptions::Constants
|
|
22
|
-
include ::SecureHeaders::XXssProtection::Constants
|
|
23
|
-
include ::SecureHeaders::XContentTypeOptions::Constants
|
|
24
|
-
end
|
|
25
|
-
|
|
2
|
+
require 'rspec'
|
|
3
|
+
|
|
4
|
+
require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
|
|
5
|
+
require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
|
|
6
|
+
include ::SecureHeaders::StrictTransportSecurity::Constants
|
|
7
|
+
include ::SecureHeaders::ContentSecurityPolicy::Constants
|
|
8
|
+
include ::SecureHeaders::XFrameOptions::Constants
|
|
9
|
+
include ::SecureHeaders::XXssProtection::Constants
|
|
10
|
+
include ::SecureHeaders::XContentTypeOptions::Constants
|
metadata
CHANGED
|
@@ -1,20 +1,18 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
5
|
-
prerelease:
|
|
4
|
+
version: 1.3.1
|
|
6
5
|
platform: ruby
|
|
7
6
|
authors:
|
|
8
7
|
- Neil Matatall
|
|
9
8
|
autorequire:
|
|
10
9
|
bindir: bin
|
|
11
10
|
cert_chain: []
|
|
12
|
-
date:
|
|
11
|
+
date: 2014-08-12 00:00:00.000000000 Z
|
|
13
12
|
dependencies:
|
|
14
13
|
- !ruby/object:Gem::Dependency
|
|
15
14
|
name: rake
|
|
16
15
|
requirement: !ruby/object:Gem::Requirement
|
|
17
|
-
none: false
|
|
18
16
|
requirements:
|
|
19
17
|
- - ! '>='
|
|
20
18
|
- !ruby/object:Gem::Version
|
|
@@ -22,7 +20,6 @@ dependencies:
|
|
|
22
20
|
type: :development
|
|
23
21
|
prerelease: false
|
|
24
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
-
none: false
|
|
26
23
|
requirements:
|
|
27
24
|
- - ! '>='
|
|
28
25
|
- !ruby/object:Gem::Version
|
|
@@ -35,7 +32,8 @@ extensions: []
|
|
|
35
32
|
extra_rdoc_files: []
|
|
36
33
|
files:
|
|
37
34
|
- .gitignore
|
|
38
|
-
- .
|
|
35
|
+
- .ruby-gemset
|
|
36
|
+
- .ruby-version
|
|
39
37
|
- .travis.yml
|
|
40
38
|
- Gemfile
|
|
41
39
|
- Guardfile
|
|
@@ -48,7 +46,6 @@ files:
|
|
|
48
46
|
- config/routes.rb
|
|
49
47
|
- fixtures/rails_3_2_12/.rspec
|
|
50
48
|
- fixtures/rails_3_2_12/Gemfile
|
|
51
|
-
- fixtures/rails_3_2_12/Guardfile
|
|
52
49
|
- fixtures/rails_3_2_12/README.rdoc
|
|
53
50
|
- fixtures/rails_3_2_12/Rakefile
|
|
54
51
|
- fixtures/rails_3_2_12/app/controllers/application_controller.rb
|
|
@@ -89,7 +86,6 @@ files:
|
|
|
89
86
|
- fixtures/rails_3_2_12/vendor/plugins/.gitkeep
|
|
90
87
|
- fixtures/rails_3_2_12_no_init/.rspec
|
|
91
88
|
- fixtures/rails_3_2_12_no_init/Gemfile
|
|
92
|
-
- fixtures/rails_3_2_12_no_init/Guardfile
|
|
93
89
|
- fixtures/rails_3_2_12_no_init/README.rdoc
|
|
94
90
|
- fixtures/rails_3_2_12_no_init/Rakefile
|
|
95
91
|
- fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
|
|
@@ -138,6 +134,7 @@ files:
|
|
|
138
134
|
- lib/secure_headers/headers/x_content_type_options.rb
|
|
139
135
|
- lib/secure_headers/headers/x_frame_options.rb
|
|
140
136
|
- lib/secure_headers/headers/x_xss_protection.rb
|
|
137
|
+
- lib/secure_headers/padrino.rb
|
|
141
138
|
- lib/secure_headers/railtie.rb
|
|
142
139
|
- lib/secure_headers/version.rb
|
|
143
140
|
- secure_headers.gemspec
|
|
@@ -153,27 +150,26 @@ files:
|
|
|
153
150
|
homepage: https://github.com/twitter/secureheaders
|
|
154
151
|
licenses:
|
|
155
152
|
- Apache Public License 2.0
|
|
153
|
+
metadata: {}
|
|
156
154
|
post_install_message:
|
|
157
155
|
rdoc_options: []
|
|
158
156
|
require_paths:
|
|
159
157
|
- lib
|
|
160
158
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
161
|
-
none: false
|
|
162
159
|
requirements:
|
|
163
160
|
- - ! '>='
|
|
164
161
|
- !ruby/object:Gem::Version
|
|
165
162
|
version: '0'
|
|
166
163
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
167
|
-
none: false
|
|
168
164
|
requirements:
|
|
169
165
|
- - ! '>='
|
|
170
166
|
- !ruby/object:Gem::Version
|
|
171
167
|
version: '0'
|
|
172
168
|
requirements: []
|
|
173
169
|
rubyforge_project:
|
|
174
|
-
rubygems_version: 1.
|
|
170
|
+
rubygems_version: 2.1.1
|
|
175
171
|
signing_key:
|
|
176
|
-
specification_version:
|
|
172
|
+
specification_version: 4
|
|
177
173
|
summary: Add easily configured browser headers to responses including content security
|
|
178
174
|
policy, x-frame-options, strict-transport-security and more.
|
|
179
175
|
test_files:
|
data/.rvmrc
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
rvm use 1.9.3@secureheaders --create
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
guard 'spork', :rspec_port => 1234, :aggressive_kill => false do
|
|
2
|
-
watch('spec/spec_helper.rb') { :rspec }
|
|
3
|
-
end
|
|
4
|
-
|
|
5
|
-
guard 'rspec', :cli => "--color --drb --drb-port 1234", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
|
|
6
|
-
watch(%r{^spec/.+_spec\.rb$})
|
|
7
|
-
watch('../../../lib')
|
|
8
|
-
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
|
9
|
-
watch('spec/spec_helper.rb') { "spec" }
|
|
10
|
-
watch(%r{^app/controllers/(.+)_(controller)\.rb$}) { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
|
|
11
|
-
watch(%r{^spec/support/(.+)\.rb$}) { "spec" }
|
|
12
|
-
watch('app/controllers/application_controller.rb') { "spec/controllers" }
|
|
13
|
-
end
|
|
14
|
-
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
guard 'spork', :rspec_port => 1235, :aggressive_kill => false do
|
|
2
|
-
watch('spec/spec_helper.rb') { :rspec }
|
|
3
|
-
end
|
|
4
|
-
|
|
5
|
-
guard 'rspec', :cli => "--color --drb --drb-port 1235", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
|
|
6
|
-
watch(%r{^spec/.+_spec\.rb$})
|
|
7
|
-
watch('../../../lib')
|
|
8
|
-
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
|
9
|
-
watch('spec/spec_helper.rb') { "spec" }
|
|
10
|
-
watch(%r{^app/controllers/(.+)_(controller)\.rb$}) { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
|
|
11
|
-
watch(%r{^spec/support/(.+)\.rb$}) { "spec" }
|
|
12
|
-
watch('app/controllers/application_controller.rb') { "spec/controllers" }
|
|
13
|
-
end
|
|
14
|
-
|