secure_headers 1.1.1 → 1.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +15 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +2 -0
- data/Gemfile +0 -4
- data/Guardfile +1 -5
- data/HISTORY.md +47 -0
- data/README.md +74 -27
- data/fixtures/rails_3_2_12/Gemfile +0 -3
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +4 -4
- data/fixtures/rails_3_2_12/config/environments/development.rb +3 -3
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +15 -14
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +12 -12
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -3
- data/fixtures/rails_3_2_12_no_init/config/application.rb +1 -4
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +3 -3
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +12 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +12 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
- data/lib/secure_headers/headers/content_security_policy.rb +52 -35
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/padrino.rb +14 -0
- data/lib/secure_headers/railtie.rb +6 -2
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers.rb +8 -1
- data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +117 -85
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
- data/spec/lib/secure_headers_spec.rb +38 -12
- data/spec/spec_helper.rb +10 -24
- metadata +11 -20
- data/.rvmrc +0 -1
- data/fixtures/rails_3_2_12/Guardfile +0 -14
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
checksums.yaml
ADDED
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
---
|
|
2
|
+
!binary "U0hBMQ==":
|
|
3
|
+
metadata.gz: !binary |-
|
|
4
|
+
NzcxMzdhM2IwMTAxN2IyNTc5OTg5OGY1MmJlZGFlNWJmNjBjM2MzMw==
|
|
5
|
+
data.tar.gz: !binary |-
|
|
6
|
+
ODNmNjA1YmY1ODEzMWIxYTU2YWYzYmY3NGFjM2Y1ZDU4MDQ0ODkwMQ==
|
|
7
|
+
SHA512:
|
|
8
|
+
metadata.gz: !binary |-
|
|
9
|
+
NGEwNTVlZjBmMTcwN2QxYjI5YjVkZGJhZmJiYTJlY2M3YzEyM2JiN2Q3MzY0
|
|
10
|
+
NzdmNWNhMDIzMmVhNzNkZWRmZTZiYmQ1OWE5MjMwYTY2MDE1NGVhMWU3Mjg4
|
|
11
|
+
OTdmZTZiOGI0N2NhNGYzZThkMjc3ZWYxMjU5YzhiYTNjNmFmZjE=
|
|
12
|
+
data.tar.gz: !binary |-
|
|
13
|
+
MTI1NTNhYzExYjVmYjMwNjNjMGUzMDlmYmVmZTk1YjJiN2UwODM4MzYwNzhj
|
|
14
|
+
Y2ZhMzYxNTNkM2Y0MWY1YTQ1ZWMyYmQ4NDA3NjJhOGViNTU0MmEwYWY4MTNm
|
|
15
|
+
MTczMzNjOTliYWYzODFiY2RiNDZmOGQ2ZWU4ZjdiNWJhMTZlMzA=
|
data/.ruby-gemset
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
secureheaders
|
data/.ruby-version
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
ruby-1.9.3-p484
|
data/.travis.yml
CHANGED
data/Gemfile
CHANGED
|
@@ -7,14 +7,10 @@ group :test do
|
|
|
7
7
|
gem 'sqlite3', :platform => [:ruby, :mswin, :mingw]
|
|
8
8
|
gem 'jdbc-sqlite3', :platform => :jruby
|
|
9
9
|
gem 'rspec-rails'
|
|
10
|
-
gem 'spork'
|
|
11
|
-
gem 'pry'
|
|
12
10
|
gem 'rspec'
|
|
13
|
-
gem 'guard-spork', :platform => :ruby_19
|
|
14
11
|
gem 'guard-rspec', :platform => :ruby_19
|
|
15
12
|
gem 'growl'
|
|
16
13
|
gem 'rb-fsevent'
|
|
17
|
-
gem 'simplecov'
|
|
18
14
|
gem 'debugger', :platform => :ruby_19
|
|
19
15
|
gem 'ruby-debug', :platform => :ruby_18
|
|
20
16
|
end
|
data/Guardfile
CHANGED
|
@@ -1,8 +1,4 @@
|
|
|
1
|
-
guard '
|
|
2
|
-
watch('spec/spec_helper.rb') { :rspec }
|
|
3
|
-
end
|
|
4
|
-
|
|
5
|
-
guard 'rspec', :cli => "--color --drb --debug", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
|
|
1
|
+
guard 'rspec' do
|
|
6
2
|
watch(%r{^spec/.+_spec\.rb$})
|
|
7
3
|
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
|
8
4
|
watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
|
data/HISTORY.md
CHANGED
|
@@ -1,3 +1,50 @@
|
|
|
1
|
+
1.3.4
|
|
2
|
+
======
|
|
3
|
+
|
|
4
|
+
* Adds X-Download-Options support
|
|
5
|
+
* Adds support for X-XSS-Protection reporting
|
|
6
|
+
* Defers loading of rails engine for faster boot times
|
|
7
|
+
|
|
8
|
+
1.3.3
|
|
9
|
+
======
|
|
10
|
+
|
|
11
|
+
@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
|
|
12
|
+
|
|
13
|
+
This just adds a new 'preload' option to the HSTS settings to specify that option.
|
|
14
|
+
|
|
15
|
+
1.3.2
|
|
16
|
+
======
|
|
17
|
+
|
|
18
|
+
Adds the ability to "tag" requests and a new config value: :app_name
|
|
19
|
+
|
|
20
|
+
{
|
|
21
|
+
:tag_report_uri => true,
|
|
22
|
+
:enforce => true,
|
|
23
|
+
:app_name => 'twitter',
|
|
24
|
+
:report_uri => 'csp_reports'
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
Results in
|
|
28
|
+
report-uri csp_reports?enforce=true&app_name=twitter
|
|
29
|
+
|
|
30
|
+
|
|
31
|
+
1.3.1
|
|
32
|
+
======
|
|
33
|
+
|
|
34
|
+
Bugfix release: same-origin detection would error out when the URL containined invalid values (like |)
|
|
35
|
+
|
|
36
|
+
1.3.0
|
|
37
|
+
======
|
|
38
|
+
|
|
39
|
+
- CSP nonce support was added back and is compliant.
|
|
40
|
+
- Bugs:
|
|
41
|
+
-- enforce, disable_fill_missing, and disable_chrome_extension did not accept lambdas for no good reason
|
|
42
|
+
-- IF a default-src was specified, and an img-src was not, and disable_fill_missing was true, the img-src value would be :data
|
|
43
|
+
|
|
44
|
+
1.2.0
|
|
45
|
+
======
|
|
46
|
+
- Allow procs to be used as config values.
|
|
47
|
+
|
|
1
48
|
1.1.1
|
|
2
49
|
======
|
|
3
50
|
|
data/README.md
CHANGED
|
@@ -85,9 +85,10 @@ Or simply add it to application controller
|
|
|
85
85
|
|
|
86
86
|
```ruby
|
|
87
87
|
ensure_security_headers(
|
|
88
|
-
:hsts => {:include_subdomains, :
|
|
88
|
+
:hsts => {:include_subdomains => true, :max_age => 20.years.to_i},
|
|
89
89
|
:x_frame_options => 'DENY',
|
|
90
|
-
:csp => false
|
|
90
|
+
:csp => false
|
|
91
|
+
)
|
|
91
92
|
```
|
|
92
93
|
|
|
93
94
|
## Options for ensure\_security\_headers
|
|
@@ -162,13 +163,6 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
|
162
163
|
:img_src => 'http://mycdn.example.com'
|
|
163
164
|
}
|
|
164
165
|
}
|
|
165
|
-
|
|
166
|
-
# script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows
|
|
167
|
-
# you to whitelist inline script blocks. For more information, see
|
|
168
|
-
# https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce
|
|
169
|
-
:script_nonce => lambda { @script_nonce = SecureRandom.hex }
|
|
170
|
-
# which can be used to whitelist a script block:
|
|
171
|
-
# script_tag :nonce = @script_nonce { inline_script_call() }
|
|
172
166
|
}
|
|
173
167
|
```
|
|
174
168
|
|
|
@@ -203,9 +197,54 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
|
203
197
|
"default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
|
|
204
198
|
```
|
|
205
199
|
|
|
206
|
-
|
|
200
|
+
### Tagging Requests
|
|
201
|
+
|
|
202
|
+
It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
|
|
203
|
+
|
|
204
|
+
```ruby
|
|
205
|
+
{
|
|
206
|
+
:tag_report_uri => true,
|
|
207
|
+
:enforce => true,
|
|
208
|
+
:app_name => 'twitter',
|
|
209
|
+
:report_uri => 'csp_reports'
|
|
210
|
+
}
|
|
211
|
+
```
|
|
212
|
+
|
|
213
|
+
Results in
|
|
214
|
+
```
|
|
215
|
+
report-uri csp_reports?enforce=true&app_name=twitter
|
|
216
|
+
```
|
|
217
|
+
|
|
218
|
+
### CSP Level 2 features
|
|
219
|
+
|
|
220
|
+
script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.
|
|
221
|
+
|
|
222
|
+
*setting a nonce will also set 'unsafe-inline' for browsers that don't support nonces for backwards compatibility. 'unsafe-inline' is ignored if a nonce is present in a directive in compliant browsers.
|
|
223
|
+
|
|
224
|
+
```ruby
|
|
225
|
+
:csp => {
|
|
226
|
+
:default_src => 'self',
|
|
227
|
+
:script_src => 'self nonce'
|
|
228
|
+
}
|
|
229
|
+
```
|
|
230
|
+
|
|
231
|
+
> content-security-policy: default-src 'self'; script-src 'self' 'nonce-abc123' 'unsafe-inline'
|
|
207
232
|
|
|
208
|
-
|
|
233
|
+
```erb
|
|
234
|
+
<script nonce="<%= @content_security_policy_nonce %>">
|
|
235
|
+
console.log("whitelisted, will execute")
|
|
236
|
+
</script>
|
|
237
|
+
|
|
238
|
+
<script nonce="lol">
|
|
239
|
+
console.log("won't execute, not whitelisted")
|
|
240
|
+
</script>
|
|
241
|
+
|
|
242
|
+
<script>
|
|
243
|
+
console.log("won't execute, not whitelisted")
|
|
244
|
+
</script>
|
|
245
|
+
```
|
|
246
|
+
|
|
247
|
+
## Note on Firefox handling of CSP
|
|
209
248
|
|
|
210
249
|
* CSP reports will not POST cross\-origin. This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint`
|
|
211
250
|
|
|
@@ -274,22 +313,11 @@ In your `Gemfile`:
|
|
|
274
313
|
then in your `app.rb` file you can:
|
|
275
314
|
|
|
276
315
|
```ruby
|
|
316
|
+
require 'secure_headers/padrino'
|
|
317
|
+
|
|
277
318
|
module Web
|
|
278
319
|
class App < Padrino::Application
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
::SecureHeaders::Configuration.configure do |config|
|
|
282
|
-
config.hsts = {:max_age => 99, :include_subdomains => true}
|
|
283
|
-
config.x_frame_options = 'DENY'
|
|
284
|
-
config.x_content_type_options = "nosniff"
|
|
285
|
-
config.x_xss_protection = {:value => '1', :mode => false}
|
|
286
|
-
config.csp = {
|
|
287
|
-
:default_src => "https://* inline eval",
|
|
288
|
-
:report_uri => '//example.com/uri-directive',
|
|
289
|
-
:img_src => "https://* data:",
|
|
290
|
-
:frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
|
|
291
|
-
}
|
|
292
|
-
end
|
|
320
|
+
register SecureHeaders::Padrino
|
|
293
321
|
|
|
294
322
|
get '/' do
|
|
295
323
|
set_csp_header
|
|
@@ -299,12 +327,31 @@ module Web
|
|
|
299
327
|
end
|
|
300
328
|
```
|
|
301
329
|
|
|
330
|
+
and in `config/boot.rb`:
|
|
331
|
+
|
|
332
|
+
```ruby
|
|
333
|
+
def before_load
|
|
334
|
+
::SecureHeaders::Configuration.configure do |config|
|
|
335
|
+
config.hsts = {:max_age => 99, :include_subdomains => true}
|
|
336
|
+
config.x_frame_options = 'DENY'
|
|
337
|
+
config.x_content_type_options = "nosniff"
|
|
338
|
+
config.x_xss_protection = {:value => '1', :mode => false}
|
|
339
|
+
config.csp = {
|
|
340
|
+
:default_src => "https://* inline eval",
|
|
341
|
+
:report_uri => '//example.com/uri-directive',
|
|
342
|
+
:img_src => "https://* data:",
|
|
343
|
+
:frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
|
|
344
|
+
}
|
|
345
|
+
end
|
|
346
|
+
end
|
|
347
|
+
```
|
|
348
|
+
|
|
302
349
|
## Similar libraries
|
|
303
350
|
|
|
304
351
|
* Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
|
|
305
352
|
* J2EE Servlet >= 3.0 [highlines](https://github.com/sourceclear/headlines)
|
|
306
353
|
* ASP.NET - [NWebsec](http://nwebsec.codeplex.com/)
|
|
307
|
-
* Python - [django-csp](https://github.com/mozilla/django-csp/
|
|
354
|
+
* Python - [django-csp](https://github.com/mozilla/django-csp/) + [commonware](https://github.com/jsocol/commonware/)
|
|
308
355
|
* Go - [secureheader](https://github.com/kr/secureheader)
|
|
309
356
|
|
|
310
357
|
## Authors
|
|
@@ -321,6 +368,6 @@ end
|
|
|
321
368
|
|
|
322
369
|
## License
|
|
323
370
|
|
|
324
|
-
Copyright 2013 Twitter, Inc.
|
|
371
|
+
Copyright 2013-2014 Twitter, Inc and other contributors.
|
|
325
372
|
|
|
326
373
|
Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
|
|
@@ -1,14 +1,11 @@
|
|
|
1
1
|
source 'https://rubygems.org'
|
|
2
2
|
|
|
3
3
|
gem 'rails', '3.2.12'
|
|
4
|
-
gem 'sqlite3'
|
|
5
4
|
gem 'rspec-rails', '>= 2.0.0'
|
|
6
5
|
gem 'secure_headers', :path => '../..'
|
|
7
|
-
gem 'spork'
|
|
8
6
|
gem 'debugger', :platform => :ruby_19
|
|
9
7
|
gem 'ruby-debug', :platform => :ruby_18
|
|
10
8
|
gem 'guard-rspec'
|
|
11
|
-
gem 'guard-spork'
|
|
12
9
|
gem 'rb-fsevent'
|
|
13
10
|
gem 'growl'
|
|
14
11
|
|
|
@@ -1,21 +1 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
<table>
|
|
4
|
-
<tr>
|
|
5
|
-
<th></th>
|
|
6
|
-
<th></th>
|
|
7
|
-
<th></th>
|
|
8
|
-
</tr>
|
|
9
|
-
|
|
10
|
-
<% @things.each do |thing| %>
|
|
11
|
-
<tr>
|
|
12
|
-
<td><%= link_to 'Show', thing %></td>
|
|
13
|
-
<td><%= link_to 'Edit', edit_thing_path(thing) %></td>
|
|
14
|
-
<td><%= link_to 'Destroy', thing, method: :delete, data: { confirm: 'Are you sure?' } %></td>
|
|
15
|
-
</tr>
|
|
16
|
-
<% end %>
|
|
17
|
-
</table>
|
|
18
|
-
|
|
19
|
-
<br />
|
|
20
|
-
|
|
21
|
-
<%= link_to 'New Thing', new_thing_path %>
|
|
1
|
+
things
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
require File.expand_path('../boot', __FILE__)
|
|
2
2
|
|
|
3
3
|
# Pick the frameworks you want:
|
|
4
|
-
require "active_record/railtie"
|
|
4
|
+
# require "active_record/railtie"
|
|
5
5
|
require "action_controller/railtie"
|
|
6
|
-
require "action_mailer/railtie"
|
|
7
|
-
require "active_resource/railtie"
|
|
6
|
+
# require "action_mailer/railtie"
|
|
7
|
+
# require "active_resource/railtie"
|
|
8
8
|
require "sprockets/railtie"
|
|
9
9
|
# require "rails/test_unit/railtie"
|
|
10
10
|
|
|
@@ -57,7 +57,7 @@ module Rails3212
|
|
|
57
57
|
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
|
58
58
|
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
|
59
59
|
# parameters by using an attr_accessible or attr_protected declaration.
|
|
60
|
-
config.active_record.whitelist_attributes = true
|
|
60
|
+
# config.active_record.whitelist_attributes = true
|
|
61
61
|
|
|
62
62
|
# Enable the asset pipeline
|
|
63
63
|
config.assets.enabled = true
|
|
@@ -14,7 +14,7 @@ Rails3212::Application.configure do
|
|
|
14
14
|
config.action_controller.perform_caching = false
|
|
15
15
|
|
|
16
16
|
# Don't care if the mailer can't send
|
|
17
|
-
config.action_mailer.raise_delivery_errors = false
|
|
17
|
+
# config.action_mailer.raise_delivery_errors = false
|
|
18
18
|
|
|
19
19
|
# Print deprecation notices to the Rails logger
|
|
20
20
|
config.active_support.deprecation = :log
|
|
@@ -23,11 +23,11 @@ Rails3212::Application.configure do
|
|
|
23
23
|
config.action_dispatch.best_standards_support = :builtin
|
|
24
24
|
|
|
25
25
|
# Raise exception on mass assignment protection for Active Record models
|
|
26
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
|
26
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
|
27
27
|
|
|
28
28
|
# Log the query plan for queries taking more than this (works
|
|
29
29
|
# with SQLite, MySQL, and PostgreSQL)
|
|
30
|
-
config.active_record.auto_explain_threshold_in_seconds = 0.5
|
|
30
|
+
# config.active_record.auto_explain_threshold_in_seconds = 0.5
|
|
31
31
|
|
|
32
32
|
# Do not compress assets
|
|
33
33
|
config.assets.compress = false
|
|
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
|
|
|
27
27
|
# Tell Action Mailer not to deliver emails to the real world.
|
|
28
28
|
# The :test delivery method accumulates sent emails in the
|
|
29
29
|
# ActionMailer::Base.deliveries array.
|
|
30
|
-
config.action_mailer.delivery_method = :test
|
|
30
|
+
# config.action_mailer.delivery_method = :test
|
|
31
31
|
|
|
32
32
|
# Raise exception on mass assignment protection for Active Record models
|
|
33
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
|
33
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
|
34
34
|
|
|
35
35
|
# Print deprecation notices to the stderr
|
|
36
36
|
config.active_support.deprecation = :stderr
|
|
@@ -1,44 +1,45 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
|
-
describe OtherThingsController do
|
|
3
|
+
describe OtherThingsController, :type => :controller do
|
|
4
4
|
describe "headers" do
|
|
5
|
-
before(:each) do
|
|
6
|
-
# Chrome
|
|
7
|
-
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
|
8
|
-
end
|
|
9
|
-
|
|
10
5
|
it "sets the X-XSS-Protection header" do
|
|
11
6
|
get :index
|
|
12
|
-
response.headers['X-XSS-Protection'].
|
|
7
|
+
expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
|
|
13
8
|
end
|
|
14
9
|
|
|
15
10
|
it "sets the X-Frame-Options header" do
|
|
16
11
|
get :index
|
|
17
|
-
response.headers['X-Frame-Options'].
|
|
12
|
+
expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
|
|
18
13
|
end
|
|
19
14
|
|
|
20
|
-
it "sets the
|
|
15
|
+
it "sets the CSP header with a local reference to a nonce" do
|
|
21
16
|
get :index
|
|
22
|
-
|
|
17
|
+
nonce = controller.instance_exec { @content_security_policy_nonce }
|
|
18
|
+
expect(nonce).to match /[a-zA-Z0-9\+\/=]{44}/
|
|
19
|
+
expect(response.headers['Content-Security-Policy-Report-Only']).to match(/default-src 'self'; img-src 'self' data:; script-src 'self' 'nonce-[a-zA-Z0-9\+\/=]{44}' 'unsafe-inline'; report-uri somewhere;/)
|
|
23
20
|
end
|
|
24
21
|
|
|
25
|
-
#mock ssl
|
|
26
22
|
it "sets the Strict-Transport-Security header" do
|
|
27
23
|
request.env['HTTPS'] = 'on'
|
|
28
24
|
get :index
|
|
29
|
-
response.headers['Strict-Transport-Security'].
|
|
25
|
+
expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
it "sets the X-Download-Options header" do
|
|
29
|
+
get :index
|
|
30
|
+
expect(response.headers['X-Download-Options']).to eq('noopen')
|
|
30
31
|
end
|
|
31
32
|
|
|
32
33
|
it "sets the X-Content-Type-Options header" do
|
|
33
34
|
get :index
|
|
34
|
-
response.headers['X-Content-Type-Options'].
|
|
35
|
+
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
|
35
36
|
end
|
|
36
37
|
|
|
37
38
|
context "using IE" do
|
|
38
39
|
it "sets the X-Content-Type-Options header" do
|
|
39
40
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
|
40
41
|
get :index
|
|
41
|
-
response.headers['X-Content-Type-Options'].
|
|
42
|
+
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
|
42
43
|
end
|
|
43
44
|
end
|
|
44
45
|
end
|
|
@@ -4,45 +4,45 @@ require 'spec_helper'
|
|
|
4
4
|
# all values are defaulted because no initializer is configured, and the values in app controller
|
|
5
5
|
# only provide csp => false
|
|
6
6
|
|
|
7
|
-
describe ThingsController do
|
|
7
|
+
describe ThingsController, :type => :controller do
|
|
8
8
|
describe "headers" do
|
|
9
|
-
before(:each) do
|
|
10
|
-
# Chrome
|
|
11
|
-
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
|
12
|
-
end
|
|
13
|
-
|
|
14
9
|
it "sets the X-XSS-Protection header" do
|
|
15
10
|
get :index
|
|
16
|
-
response.headers['X-XSS-Protection'].
|
|
11
|
+
expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
|
|
17
12
|
end
|
|
18
13
|
|
|
19
14
|
it "sets the X-Frame-Options header" do
|
|
20
15
|
get :index
|
|
21
|
-
response.headers['X-Frame-Options'].
|
|
16
|
+
expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
|
|
22
17
|
end
|
|
23
18
|
|
|
24
19
|
it "sets the X-WebKit-CSP header" do
|
|
25
20
|
get :index
|
|
26
|
-
response.headers['Content-Security-Policy-Report-Only'].
|
|
21
|
+
expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
|
|
27
22
|
end
|
|
28
23
|
|
|
29
24
|
#mock ssl
|
|
30
25
|
it "sets the Strict-Transport-Security header" do
|
|
31
26
|
request.env['HTTPS'] = 'on'
|
|
32
27
|
get :index
|
|
33
|
-
response.headers['Strict-Transport-Security'].
|
|
28
|
+
expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
it "sets the X-Download-Options header" do
|
|
32
|
+
get :index
|
|
33
|
+
expect(response.headers['X-Download-Options']).to eq('noopen')
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
it "sets the X-Content-Type-Options header" do
|
|
37
37
|
get :index
|
|
38
|
-
response.headers['X-Content-Type-Options'].
|
|
38
|
+
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
context "using IE" do
|
|
42
42
|
it "sets the X-Content-Type-Options header" do
|
|
43
43
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
|
44
44
|
get :index
|
|
45
|
-
response.headers['X-Content-Type-Options'].
|
|
45
|
+
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
|
46
46
|
end
|
|
47
47
|
end
|
|
48
48
|
end
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
require 'rubygems'
|
|
2
|
-
|
|
2
|
+
|
|
3
3
|
#uncomment the following line to use spork with the debugger
|
|
4
4
|
#require 'spork/ext/ruby-debug'
|
|
5
5
|
|
|
@@ -11,9 +11,5 @@ require 'spork'
|
|
|
11
11
|
ENV["RAILS_ENV"] ||= 'test'
|
|
12
12
|
require File.expand_path("../../config/environment", __FILE__)
|
|
13
13
|
require 'rspec/rails'
|
|
14
|
-
require 'rspec/autorun'
|
|
15
14
|
# end
|
|
16
15
|
|
|
17
|
-
Spork.each_run do
|
|
18
|
-
|
|
19
|
-
end
|
|
@@ -1,14 +1,11 @@
|
|
|
1
1
|
source 'https://rubygems.org'
|
|
2
2
|
|
|
3
3
|
gem 'rails', '3.2.12'
|
|
4
|
-
gem 'sqlite3'
|
|
5
4
|
gem 'rspec-rails', '>= 2.0.0'
|
|
6
5
|
gem 'secure_headers', :path => '../..'
|
|
7
|
-
gem 'spork'
|
|
8
6
|
gem 'debugger', :platform => :ruby_19
|
|
9
7
|
gem 'ruby-debug', :platform => :ruby_18
|
|
10
8
|
gem 'guard-rspec'
|
|
11
|
-
gem 'guard-spork'
|
|
12
9
|
gem 'rb-fsevent'
|
|
13
10
|
gem 'growl'
|
|
14
11
|
|
|
@@ -1,10 +1,7 @@
|
|
|
1
1
|
require File.expand_path('../boot', __FILE__)
|
|
2
2
|
|
|
3
3
|
# Pick the frameworks you want:
|
|
4
|
-
require "active_record/railtie"
|
|
5
4
|
require "action_controller/railtie"
|
|
6
|
-
require "action_mailer/railtie"
|
|
7
|
-
require "active_resource/railtie"
|
|
8
5
|
require "sprockets/railtie"
|
|
9
6
|
# require "rails/test_unit/railtie"
|
|
10
7
|
|
|
@@ -57,7 +54,7 @@ module Rails3212
|
|
|
57
54
|
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
|
58
55
|
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
|
59
56
|
# parameters by using an attr_accessible or attr_protected declaration.
|
|
60
|
-
config.active_record.whitelist_attributes = true
|
|
57
|
+
# config.active_record.whitelist_attributes = true
|
|
61
58
|
|
|
62
59
|
# Enable the asset pipeline
|
|
63
60
|
config.assets.enabled = true
|
|
@@ -14,7 +14,7 @@ Rails3212::Application.configure do
|
|
|
14
14
|
config.action_controller.perform_caching = false
|
|
15
15
|
|
|
16
16
|
# Don't care if the mailer can't send
|
|
17
|
-
config.action_mailer.raise_delivery_errors = false
|
|
17
|
+
# config.action_mailer.raise_delivery_errors = false
|
|
18
18
|
|
|
19
19
|
# Print deprecation notices to the Rails logger
|
|
20
20
|
config.active_support.deprecation = :log
|
|
@@ -23,11 +23,11 @@ Rails3212::Application.configure do
|
|
|
23
23
|
config.action_dispatch.best_standards_support = :builtin
|
|
24
24
|
|
|
25
25
|
# Raise exception on mass assignment protection for Active Record models
|
|
26
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
|
26
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
|
27
27
|
|
|
28
28
|
# Log the query plan for queries taking more than this (works
|
|
29
29
|
# with SQLite, MySQL, and PostgreSQL)
|
|
30
|
-
config.active_record.auto_explain_threshold_in_seconds = 0.5
|
|
30
|
+
# config.active_record.auto_explain_threshold_in_seconds = 0.5
|
|
31
31
|
|
|
32
32
|
# Do not compress assets
|
|
33
33
|
config.assets.compress = false
|
|
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
|
|
|
27
27
|
# Tell Action Mailer not to deliver emails to the real world.
|
|
28
28
|
# The :test delivery method accumulates sent emails in the
|
|
29
29
|
# ActionMailer::Base.deliveries array.
|
|
30
|
-
config.action_mailer.delivery_method = :test
|
|
30
|
+
# config.action_mailer.delivery_method = :test
|
|
31
31
|
|
|
32
32
|
# Raise exception on mass assignment protection for Active Record models
|
|
33
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
|
33
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
|
34
34
|
|
|
35
35
|
# Print deprecation notices to the stderr
|
|
36
36
|
config.active_support.deprecation = :stderr
|
|
@@ -1,44 +1,44 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
|
-
describe OtherThingsController do
|
|
3
|
+
describe OtherThingsController, :type => :controller do
|
|
4
4
|
describe "headers" do
|
|
5
|
-
before(:each) do
|
|
6
|
-
# Chrome
|
|
7
|
-
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
|
8
|
-
end
|
|
9
|
-
|
|
10
5
|
it "sets the X-XSS-Protection header" do
|
|
11
6
|
get :index
|
|
12
|
-
response.headers['X-XSS-Protection'].
|
|
7
|
+
expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
|
|
13
8
|
end
|
|
14
9
|
|
|
15
10
|
it "sets the X-Frame-Options header" do
|
|
16
11
|
get :index
|
|
17
|
-
response.headers['X-Frame-Options'].
|
|
12
|
+
expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
|
|
18
13
|
end
|
|
19
14
|
|
|
20
15
|
it "sets the X-WebKit-CSP header" do
|
|
21
16
|
get :index
|
|
22
|
-
response.headers['Content-Security-Policy-Report-Only'].
|
|
17
|
+
expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
|
|
23
18
|
end
|
|
24
19
|
|
|
25
20
|
#mock ssl
|
|
26
21
|
it "sets the Strict-Transport-Security header" do
|
|
27
22
|
request.env['HTTPS'] = 'on'
|
|
28
23
|
get :index
|
|
29
|
-
response.headers['Strict-Transport-Security'].
|
|
24
|
+
expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
it "sets the X-Download-Options header" do
|
|
28
|
+
get :index
|
|
29
|
+
expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
it "sets the X-Content-Type-Options header" do
|
|
33
33
|
get :index
|
|
34
|
-
response.headers['X-Content-Type-Options'].
|
|
34
|
+
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
|
35
35
|
end
|
|
36
36
|
|
|
37
37
|
context "using IE" do
|
|
38
38
|
it "sets the X-Content-Type-Options header" do
|
|
39
39
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
|
40
40
|
get :index
|
|
41
|
-
response.headers['X-Content-Type-Options'].
|
|
41
|
+
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
|
42
42
|
end
|
|
43
43
|
end
|
|
44
44
|
end
|