secure_headers 1.1.1 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +2 -3
- data/Gemfile +2 -7
- data/HISTORY.md +47 -0
- data/README.md +74 -27
- data/app/controllers/content_security_policy_controller.rb +1 -0
- data/fixtures/rails_3_2_12/Gemfile +0 -8
- data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +0 -3
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +0 -54
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -0
- data/fixtures/rails_3_2_12/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +15 -14
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +12 -12
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -9
- data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
- data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
- data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +12 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +12 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
- data/lib/secure_headers/headers/content_security_policy.rb +54 -35
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/padrino.rb +14 -0
- data/lib/secure_headers/railtie.rb +6 -2
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers.rb +9 -2
- data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +117 -85
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
- data/spec/lib/secure_headers_spec.rb +38 -12
- data/spec/spec_helper.rb +10 -24
- metadata +9 -37
- data/.rvmrc +0 -1
- data/Guardfile +0 -10
- data/fixtures/rails_3_2_12/Guardfile +0 -14
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
- data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
- data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
|
@@ -2,34 +2,34 @@ require 'spec_helper'
|
|
|
2
2
|
|
|
3
3
|
module SecureHeaders
|
|
4
4
|
describe XFrameOptions do
|
|
5
|
-
specify{ XFrameOptions.new.name.
|
|
5
|
+
specify{ expect(XFrameOptions.new.name).to eq("X-Frame-Options") }
|
|
6
6
|
|
|
7
7
|
describe "#value" do
|
|
8
|
-
specify { XFrameOptions.new.value.
|
|
9
|
-
specify { XFrameOptions.new("SAMEORIGIN").value.
|
|
10
|
-
specify { XFrameOptions.new(:value => 'DENY').value.
|
|
8
|
+
specify { expect(XFrameOptions.new.value).to eq(XFrameOptions::Constants::DEFAULT_VALUE)}
|
|
9
|
+
specify { expect(XFrameOptions.new("SAMEORIGIN").value).to eq("SAMEORIGIN")}
|
|
10
|
+
specify { expect(XFrameOptions.new(:value => 'DENY').value).to eq("DENY")}
|
|
11
11
|
|
|
12
12
|
context "with invalid configuration" do
|
|
13
13
|
it "allows SAMEORIGIN" do
|
|
14
|
-
|
|
14
|
+
expect {
|
|
15
15
|
XFrameOptions.new("SAMEORIGIN").value
|
|
16
|
-
}.
|
|
16
|
+
}.not_to raise_error
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
it "allows DENY" do
|
|
20
|
-
|
|
20
|
+
expect {
|
|
21
21
|
XFrameOptions.new("DENY").value
|
|
22
|
-
}.
|
|
22
|
+
}.not_to raise_error end
|
|
23
23
|
|
|
24
24
|
it "allows ALLOW-FROM*" do
|
|
25
|
-
|
|
25
|
+
expect {
|
|
26
26
|
XFrameOptions.new("ALLOW-FROM: example.com").value
|
|
27
|
-
}.
|
|
27
|
+
}.not_to raise_error
|
|
28
28
|
end
|
|
29
29
|
it "does not allow garbage" do
|
|
30
|
-
|
|
30
|
+
expect {
|
|
31
31
|
XFrameOptions.new("I like turtles").value
|
|
32
|
-
}.
|
|
32
|
+
}.to raise_error(XFOBuildError)
|
|
33
33
|
end
|
|
34
34
|
end
|
|
35
35
|
end
|
|
@@ -1,53 +1,54 @@
|
|
|
1
1
|
module SecureHeaders
|
|
2
2
|
describe XXssProtection do
|
|
3
|
-
specify { XXssProtection.new.name.
|
|
4
|
-
specify { XXssProtection.new.value.
|
|
5
|
-
specify { XXssProtection.new("0").value.
|
|
6
|
-
specify { XXssProtection.new(:value => 1, :mode => 'block').value.
|
|
3
|
+
specify { expect(XXssProtection.new.name).to eq(X_XSS_PROTECTION_HEADER_NAME)}
|
|
4
|
+
specify { expect(XXssProtection.new.value).to eq("1")}
|
|
5
|
+
specify { expect(XXssProtection.new("0").value).to eq("0")}
|
|
6
|
+
specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') }
|
|
7
|
+
specify { expect(XXssProtection.new(:value => 1, :mode => 'block', :report_uri => 'https://www.secure.com/reports').value).to eq('1; mode=block; report=https://www.secure.com/reports') }
|
|
7
8
|
|
|
8
9
|
context "with invalid configuration" do
|
|
9
10
|
it "should raise an error when providing a string that is not valid" do
|
|
10
|
-
|
|
11
|
+
expect {
|
|
11
12
|
XXssProtection.new("asdf")
|
|
12
|
-
}.
|
|
13
|
+
}.to raise_error(XXssProtectionBuildError)
|
|
13
14
|
|
|
14
|
-
|
|
15
|
+
expect {
|
|
15
16
|
XXssProtection.new("asdf; mode=donkey")
|
|
16
|
-
}.
|
|
17
|
+
}.to raise_error(XXssProtectionBuildError)
|
|
17
18
|
end
|
|
18
19
|
|
|
19
20
|
context "when using a hash value" do
|
|
20
21
|
it "should allow string values ('1' or '0' are the only valid strings)" do
|
|
21
|
-
|
|
22
|
+
expect {
|
|
22
23
|
XXssProtection.new(:value => '1')
|
|
23
|
-
}.
|
|
24
|
+
}.not_to raise_error
|
|
24
25
|
end
|
|
25
26
|
|
|
26
27
|
it "should allow integer values (1 or 0 are the only valid integers)" do
|
|
27
|
-
|
|
28
|
+
expect {
|
|
28
29
|
XXssProtection.new(:value => 1)
|
|
29
|
-
}.
|
|
30
|
+
}.not_to raise_error
|
|
30
31
|
end
|
|
31
32
|
|
|
32
33
|
it "should raise an error if no value key is supplied" do
|
|
33
|
-
|
|
34
|
+
expect {
|
|
34
35
|
XXssProtection.new(:mode => 'block')
|
|
35
|
-
}.
|
|
36
|
+
}.to raise_error(XXssProtectionBuildError)
|
|
36
37
|
end
|
|
37
38
|
|
|
38
39
|
it "should raise an error if an invalid key is supplied" do
|
|
39
|
-
|
|
40
|
+
expect {
|
|
40
41
|
XXssProtection.new(:value => 123)
|
|
41
|
-
}.
|
|
42
|
+
}.to raise_error(XXssProtectionBuildError)
|
|
42
43
|
end
|
|
43
44
|
|
|
44
45
|
it "should raise an error if mode != block" do
|
|
45
|
-
|
|
46
|
+
expect {
|
|
46
47
|
XXssProtection.new(:value => 1, :mode => "donkey")
|
|
47
|
-
}.
|
|
48
|
+
}.to raise_error(XXssProtectionBuildError)
|
|
48
49
|
end
|
|
49
50
|
end
|
|
50
51
|
|
|
51
52
|
end
|
|
52
53
|
end
|
|
53
|
-
end
|
|
54
|
+
end
|
|
@@ -13,9 +13,9 @@ describe SecureHeaders do
|
|
|
13
13
|
|
|
14
14
|
before(:each) do
|
|
15
15
|
stub_user_agent(nil)
|
|
16
|
-
headers.
|
|
17
|
-
subject.
|
|
18
|
-
subject.
|
|
16
|
+
allow(headers).to receive(:[])
|
|
17
|
+
allow(subject).to receive(:response).and_return(response)
|
|
18
|
+
allow(subject).to receive(:request).and_return(request)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
|
|
@@ -32,15 +32,15 @@ describe SecureHeaders do
|
|
|
32
32
|
}
|
|
33
33
|
|
|
34
34
|
def should_assign_header name, value
|
|
35
|
-
response.headers.
|
|
35
|
+
expect(response.headers).to receive(:[]=).with(name, value)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
def should_not_assign_header name
|
|
39
|
-
response.headers.
|
|
39
|
+
expect(response.headers).not_to receive(:[]=).with(name, anything)
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
def stub_user_agent val
|
|
43
|
-
request.
|
|
43
|
+
allow(request).to receive_message_chain(:env, :[]).and_return(val)
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
def options_for header
|
|
@@ -54,6 +54,7 @@ describe SecureHeaders do
|
|
|
54
54
|
config.x_content_type_options = nil
|
|
55
55
|
config.x_xss_protection = nil
|
|
56
56
|
config.csp = nil
|
|
57
|
+
config.x_download_options = nil
|
|
57
58
|
end
|
|
58
59
|
end
|
|
59
60
|
|
|
@@ -63,12 +64,13 @@ describe SecureHeaders do
|
|
|
63
64
|
subject.set_x_frame_options_header
|
|
64
65
|
subject.set_x_content_type_options_header
|
|
65
66
|
subject.set_x_xss_protection_header
|
|
67
|
+
subject.set_x_download_options_header
|
|
66
68
|
end
|
|
67
69
|
|
|
68
70
|
describe "#ensure_security_headers" do
|
|
69
71
|
it "sets a before filter" do
|
|
70
72
|
options = {}
|
|
71
|
-
DummyClass.
|
|
73
|
+
expect(DummyClass).to receive(:before_filter).exactly(6).times
|
|
72
74
|
DummyClass.ensure_security_headers(options)
|
|
73
75
|
end
|
|
74
76
|
end
|
|
@@ -87,18 +89,19 @@ describe SecureHeaders do
|
|
|
87
89
|
|
|
88
90
|
describe "#set_security_headers" do
|
|
89
91
|
before(:each) do
|
|
90
|
-
SecureHeaders::ContentSecurityPolicy.
|
|
92
|
+
allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
|
|
91
93
|
end
|
|
92
94
|
USER_AGENTS.each do |name, useragent|
|
|
93
95
|
it "sets all default headers for #{name} (smoke test)" do
|
|
94
96
|
stub_user_agent(useragent)
|
|
95
|
-
number_of_headers =
|
|
96
|
-
subject.
|
|
97
|
+
number_of_headers = 6
|
|
98
|
+
expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
|
|
97
99
|
subject.set_csp_header
|
|
98
100
|
subject.set_x_frame_options_header
|
|
99
101
|
subject.set_hsts_header
|
|
100
102
|
subject.set_x_xss_protection_header
|
|
101
103
|
subject.set_x_content_type_options_header
|
|
104
|
+
subject.set_x_download_options_header
|
|
102
105
|
end
|
|
103
106
|
end
|
|
104
107
|
|
|
@@ -113,6 +116,11 @@ describe SecureHeaders do
|
|
|
113
116
|
subject.set_x_xss_protection_header(false)
|
|
114
117
|
end
|
|
115
118
|
|
|
119
|
+
it "does not set the X-Download-Options header if disabled" do
|
|
120
|
+
should_not_assign_header(XDO_HEADER_NAME)
|
|
121
|
+
subject.set_x_download_options_header(false)
|
|
122
|
+
end
|
|
123
|
+
|
|
116
124
|
it "does not set the X-Frame-Options header if disabled" do
|
|
117
125
|
should_not_assign_header(XFO_HEADER_NAME)
|
|
118
126
|
subject.set_x_frame_options_header(false)
|
|
@@ -124,7 +132,7 @@ describe SecureHeaders do
|
|
|
124
132
|
end
|
|
125
133
|
|
|
126
134
|
it "does not set the HSTS header if request is over HTTP" do
|
|
127
|
-
subject.
|
|
135
|
+
allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
|
|
128
136
|
should_not_assign_header(HSTS_HEADER_NAME)
|
|
129
137
|
subject.set_hsts_header({:include_subdomains => true})
|
|
130
138
|
end
|
|
@@ -143,8 +151,9 @@ describe SecureHeaders do
|
|
|
143
151
|
config.x_content_type_options = false
|
|
144
152
|
config.x_xss_protection = false
|
|
145
153
|
config.csp = false
|
|
154
|
+
config.x_download_options = false
|
|
146
155
|
end
|
|
147
|
-
subject.
|
|
156
|
+
expect(subject).not_to receive(:set_header)
|
|
148
157
|
set_security_headers(subject)
|
|
149
158
|
reset_config
|
|
150
159
|
end
|
|
@@ -163,6 +172,18 @@ describe SecureHeaders do
|
|
|
163
172
|
end
|
|
164
173
|
end
|
|
165
174
|
|
|
175
|
+
describe "#set_x_download_options_header" do
|
|
176
|
+
it "sets the X-Download-Options header" do
|
|
177
|
+
should_assign_header(XDO_HEADER_NAME, SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
|
178
|
+
subject.set_x_download_options_header
|
|
179
|
+
end
|
|
180
|
+
|
|
181
|
+
it "allows a custom X-Download-Options header" do
|
|
182
|
+
should_assign_header(XDO_HEADER_NAME, "noopen")
|
|
183
|
+
subject.set_x_download_options_header(:value => 'noopen')
|
|
184
|
+
end
|
|
185
|
+
end
|
|
186
|
+
|
|
166
187
|
describe "#set_strict_transport_security" do
|
|
167
188
|
it "sets the Strict-Transport-Security header" do
|
|
168
189
|
should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
|
@@ -178,6 +199,11 @@ describe SecureHeaders do
|
|
|
178
199
|
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
|
|
179
200
|
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
|
|
180
201
|
end
|
|
202
|
+
|
|
203
|
+
it "allows you to specify preload" do
|
|
204
|
+
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")
|
|
205
|
+
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true)
|
|
206
|
+
end
|
|
181
207
|
end
|
|
182
208
|
|
|
183
209
|
describe "#set_x_xss_protection" do
|
data/spec/spec_helper.rb
CHANGED
|
@@ -1,25 +1,11 @@
|
|
|
1
1
|
require 'rubygems'
|
|
2
|
-
require '
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
require 'pry'
|
|
13
|
-
require 'rspec'
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
Spork.each_run do
|
|
17
|
-
require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
|
|
18
|
-
require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
|
|
19
|
-
include ::SecureHeaders::StrictTransportSecurity::Constants
|
|
20
|
-
include ::SecureHeaders::ContentSecurityPolicy::Constants
|
|
21
|
-
include ::SecureHeaders::XFrameOptions::Constants
|
|
22
|
-
include ::SecureHeaders::XXssProtection::Constants
|
|
23
|
-
include ::SecureHeaders::XContentTypeOptions::Constants
|
|
24
|
-
end
|
|
25
|
-
|
|
2
|
+
require 'rspec'
|
|
3
|
+
|
|
4
|
+
require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
|
|
5
|
+
require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
|
|
6
|
+
include ::SecureHeaders::StrictTransportSecurity::Constants
|
|
7
|
+
include ::SecureHeaders::ContentSecurityPolicy::Constants
|
|
8
|
+
include ::SecureHeaders::XFrameOptions::Constants
|
|
9
|
+
include ::SecureHeaders::XXssProtection::Constants
|
|
10
|
+
include ::SecureHeaders::XContentTypeOptions::Constants
|
|
11
|
+
include ::SecureHeaders::XDownloadOptions::Constants
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.4.0
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2014-12-06 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rake
|
|
@@ -35,10 +35,10 @@ extensions: []
|
|
|
35
35
|
extra_rdoc_files: []
|
|
36
36
|
files:
|
|
37
37
|
- .gitignore
|
|
38
|
-
- .
|
|
38
|
+
- .ruby-gemset
|
|
39
|
+
- .ruby-version
|
|
39
40
|
- .travis.yml
|
|
40
41
|
- Gemfile
|
|
41
|
-
- Guardfile
|
|
42
42
|
- HISTORY.md
|
|
43
43
|
- LICENSE
|
|
44
44
|
- README.md
|
|
@@ -48,36 +48,22 @@ files:
|
|
|
48
48
|
- config/routes.rb
|
|
49
49
|
- fixtures/rails_3_2_12/.rspec
|
|
50
50
|
- fixtures/rails_3_2_12/Gemfile
|
|
51
|
-
- fixtures/rails_3_2_12/Guardfile
|
|
52
51
|
- fixtures/rails_3_2_12/README.rdoc
|
|
53
52
|
- fixtures/rails_3_2_12/Rakefile
|
|
54
53
|
- fixtures/rails_3_2_12/app/controllers/application_controller.rb
|
|
55
54
|
- fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
|
|
56
55
|
- fixtures/rails_3_2_12/app/controllers/things_controller.rb
|
|
57
56
|
- fixtures/rails_3_2_12/app/models/.gitkeep
|
|
58
|
-
- fixtures/rails_3_2_12/app/models/thing.rb
|
|
59
57
|
- fixtures/rails_3_2_12/app/views/layouts/application.html.erb
|
|
60
58
|
- fixtures/rails_3_2_12/app/views/other_things/index.html.erb
|
|
61
59
|
- fixtures/rails_3_2_12/app/views/things/index.html.erb
|
|
62
60
|
- fixtures/rails_3_2_12/config.ru
|
|
63
61
|
- fixtures/rails_3_2_12/config/application.rb
|
|
64
62
|
- fixtures/rails_3_2_12/config/boot.rb
|
|
65
|
-
- fixtures/rails_3_2_12/config/database.yml
|
|
66
63
|
- fixtures/rails_3_2_12/config/environment.rb
|
|
67
|
-
- fixtures/rails_3_2_12/config/environments/development.rb
|
|
68
|
-
- fixtures/rails_3_2_12/config/environments/production.rb
|
|
69
64
|
- fixtures/rails_3_2_12/config/environments/test.rb
|
|
70
|
-
- fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
|
|
71
|
-
- fixtures/rails_3_2_12/config/initializers/inflections.rb
|
|
72
|
-
- fixtures/rails_3_2_12/config/initializers/mime_types.rb
|
|
73
|
-
- fixtures/rails_3_2_12/config/initializers/secret_token.rb
|
|
74
65
|
- fixtures/rails_3_2_12/config/initializers/secure_headers.rb
|
|
75
|
-
- fixtures/rails_3_2_12/config/initializers/session_store.rb
|
|
76
|
-
- fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
|
|
77
|
-
- fixtures/rails_3_2_12/config/locales/en.yml
|
|
78
66
|
- fixtures/rails_3_2_12/config/routes.rb
|
|
79
|
-
- fixtures/rails_3_2_12/db/schema.rb
|
|
80
|
-
- fixtures/rails_3_2_12/db/seeds.rb
|
|
81
67
|
- fixtures/rails_3_2_12/lib/assets/.gitkeep
|
|
82
68
|
- fixtures/rails_3_2_12/lib/tasks/.gitkeep
|
|
83
69
|
- fixtures/rails_3_2_12/log/.gitkeep
|
|
@@ -89,39 +75,21 @@ files:
|
|
|
89
75
|
- fixtures/rails_3_2_12/vendor/plugins/.gitkeep
|
|
90
76
|
- fixtures/rails_3_2_12_no_init/.rspec
|
|
91
77
|
- fixtures/rails_3_2_12_no_init/Gemfile
|
|
92
|
-
- fixtures/rails_3_2_12_no_init/Guardfile
|
|
93
78
|
- fixtures/rails_3_2_12_no_init/README.rdoc
|
|
94
79
|
- fixtures/rails_3_2_12_no_init/Rakefile
|
|
95
80
|
- fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
|
|
96
81
|
- fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
|
|
97
82
|
- fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
|
|
98
83
|
- fixtures/rails_3_2_12_no_init/app/models/.gitkeep
|
|
99
|
-
- fixtures/rails_3_2_12_no_init/app/models/thing.rb
|
|
100
84
|
- fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
|
|
101
85
|
- fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
|
|
102
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
|
|
103
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
|
|
104
86
|
- fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
|
|
105
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
|
|
106
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
|
|
107
87
|
- fixtures/rails_3_2_12_no_init/config.ru
|
|
108
88
|
- fixtures/rails_3_2_12_no_init/config/application.rb
|
|
109
89
|
- fixtures/rails_3_2_12_no_init/config/boot.rb
|
|
110
|
-
- fixtures/rails_3_2_12_no_init/config/database.yml
|
|
111
90
|
- fixtures/rails_3_2_12_no_init/config/environment.rb
|
|
112
|
-
- fixtures/rails_3_2_12_no_init/config/environments/development.rb
|
|
113
|
-
- fixtures/rails_3_2_12_no_init/config/environments/production.rb
|
|
114
91
|
- fixtures/rails_3_2_12_no_init/config/environments/test.rb
|
|
115
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
|
|
116
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
|
|
117
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
|
|
118
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
|
|
119
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
|
|
120
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
|
|
121
|
-
- fixtures/rails_3_2_12_no_init/config/locales/en.yml
|
|
122
92
|
- fixtures/rails_3_2_12_no_init/config/routes.rb
|
|
123
|
-
- fixtures/rails_3_2_12_no_init/db/schema.rb
|
|
124
|
-
- fixtures/rails_3_2_12_no_init/db/seeds.rb
|
|
125
93
|
- fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
|
|
126
94
|
- fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
|
|
127
95
|
- fixtures/rails_3_2_12_no_init/log/.gitkeep
|
|
@@ -136,8 +104,10 @@ files:
|
|
|
136
104
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
137
105
|
- lib/secure_headers/headers/strict_transport_security.rb
|
|
138
106
|
- lib/secure_headers/headers/x_content_type_options.rb
|
|
107
|
+
- lib/secure_headers/headers/x_download_options.rb
|
|
139
108
|
- lib/secure_headers/headers/x_frame_options.rb
|
|
140
109
|
- lib/secure_headers/headers/x_xss_protection.rb
|
|
110
|
+
- lib/secure_headers/padrino.rb
|
|
141
111
|
- lib/secure_headers/railtie.rb
|
|
142
112
|
- lib/secure_headers/version.rb
|
|
143
113
|
- secure_headers.gemspec
|
|
@@ -145,6 +115,7 @@ files:
|
|
|
145
115
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
146
116
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
147
117
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
118
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
|
148
119
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
|
149
120
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
150
121
|
- spec/lib/secure_headers_spec.rb
|
|
@@ -171,7 +142,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
171
142
|
version: '0'
|
|
172
143
|
requirements: []
|
|
173
144
|
rubyforge_project:
|
|
174
|
-
rubygems_version: 1.8.
|
|
145
|
+
rubygems_version: 1.8.23
|
|
175
146
|
signing_key:
|
|
176
147
|
specification_version: 3
|
|
177
148
|
summary: Add easily configured browser headers to responses including content security
|
|
@@ -181,6 +152,7 @@ test_files:
|
|
|
181
152
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
182
153
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
183
154
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
155
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
|
184
156
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
|
185
157
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
186
158
|
- spec/lib/secure_headers_spec.rb
|
data/.rvmrc
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
rvm use 1.9.3@secureheaders --create
|
data/Guardfile
DELETED
|
@@ -1,10 +0,0 @@
|
|
|
1
|
-
guard 'spork', :aggressive_kill => false do
|
|
2
|
-
watch('spec/spec_helper.rb') { :rspec }
|
|
3
|
-
end
|
|
4
|
-
|
|
5
|
-
guard 'rspec', :cli => "--color --drb --debug", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
|
|
6
|
-
watch(%r{^spec/.+_spec\.rb$})
|
|
7
|
-
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
|
8
|
-
watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
|
|
9
|
-
watch('spec/spec_helper.rb') { "spec" }
|
|
10
|
-
end
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
guard 'spork', :rspec_port => 1234, :aggressive_kill => false do
|
|
2
|
-
watch('spec/spec_helper.rb') { :rspec }
|
|
3
|
-
end
|
|
4
|
-
|
|
5
|
-
guard 'rspec', :cli => "--color --drb --drb-port 1234", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
|
|
6
|
-
watch(%r{^spec/.+_spec\.rb$})
|
|
7
|
-
watch('../../../lib')
|
|
8
|
-
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
|
9
|
-
watch('spec/spec_helper.rb') { "spec" }
|
|
10
|
-
watch(%r{^app/controllers/(.+)_(controller)\.rb$}) { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
|
|
11
|
-
watch(%r{^spec/support/(.+)\.rb$}) { "spec" }
|
|
12
|
-
watch('app/controllers/application_controller.rb') { "spec/controllers" }
|
|
13
|
-
end
|
|
14
|
-
|
|
@@ -1,25 +0,0 @@
|
|
|
1
|
-
# SQLite version 3.x
|
|
2
|
-
# gem install sqlite3
|
|
3
|
-
#
|
|
4
|
-
# Ensure the SQLite 3 gem is defined in your Gemfile
|
|
5
|
-
# gem 'sqlite3'
|
|
6
|
-
development:
|
|
7
|
-
adapter: sqlite3
|
|
8
|
-
database: db/development.sqlite3
|
|
9
|
-
pool: 5
|
|
10
|
-
timeout: 5000
|
|
11
|
-
|
|
12
|
-
# Warning: The database defined as "test" will be erased and
|
|
13
|
-
# re-generated from your development database when you run "rake".
|
|
14
|
-
# Do not set this db to the same as development or production.
|
|
15
|
-
test:
|
|
16
|
-
adapter: sqlite3
|
|
17
|
-
database: db/test.sqlite3
|
|
18
|
-
pool: 5
|
|
19
|
-
timeout: 5000
|
|
20
|
-
|
|
21
|
-
production:
|
|
22
|
-
adapter: sqlite3
|
|
23
|
-
database: db/production.sqlite3
|
|
24
|
-
pool: 5
|
|
25
|
-
timeout: 5000
|
|
@@ -1,37 +0,0 @@
|
|
|
1
|
-
Rails3212::Application.configure do
|
|
2
|
-
# Settings specified here will take precedence over those in config/application.rb
|
|
3
|
-
|
|
4
|
-
# In the development environment your application's code is reloaded on
|
|
5
|
-
# every request. This slows down response time but is perfect for development
|
|
6
|
-
# since you don't have to restart the web server when you make code changes.
|
|
7
|
-
config.cache_classes = false
|
|
8
|
-
|
|
9
|
-
# Log error messages when you accidentally call methods on nil.
|
|
10
|
-
config.whiny_nils = true
|
|
11
|
-
|
|
12
|
-
# Show full error reports and disable caching
|
|
13
|
-
config.consider_all_requests_local = true
|
|
14
|
-
config.action_controller.perform_caching = false
|
|
15
|
-
|
|
16
|
-
# Don't care if the mailer can't send
|
|
17
|
-
config.action_mailer.raise_delivery_errors = false
|
|
18
|
-
|
|
19
|
-
# Print deprecation notices to the Rails logger
|
|
20
|
-
config.active_support.deprecation = :log
|
|
21
|
-
|
|
22
|
-
# Only use best-standards-support built into browsers
|
|
23
|
-
config.action_dispatch.best_standards_support = :builtin
|
|
24
|
-
|
|
25
|
-
# Raise exception on mass assignment protection for Active Record models
|
|
26
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
|
27
|
-
|
|
28
|
-
# Log the query plan for queries taking more than this (works
|
|
29
|
-
# with SQLite, MySQL, and PostgreSQL)
|
|
30
|
-
config.active_record.auto_explain_threshold_in_seconds = 0.5
|
|
31
|
-
|
|
32
|
-
# Do not compress assets
|
|
33
|
-
config.assets.compress = false
|
|
34
|
-
|
|
35
|
-
# Expands the lines which load the assets
|
|
36
|
-
config.assets.debug = true
|
|
37
|
-
end
|
|
@@ -1,67 +0,0 @@
|
|
|
1
|
-
Rails3212::Application.configure do
|
|
2
|
-
# Settings specified here will take precedence over those in config/application.rb
|
|
3
|
-
|
|
4
|
-
# Code is not reloaded between requests
|
|
5
|
-
config.cache_classes = true
|
|
6
|
-
|
|
7
|
-
# Full error reports are disabled and caching is turned on
|
|
8
|
-
config.consider_all_requests_local = false
|
|
9
|
-
config.action_controller.perform_caching = true
|
|
10
|
-
|
|
11
|
-
# Disable Rails's static asset server (Apache or nginx will already do this)
|
|
12
|
-
config.serve_static_assets = false
|
|
13
|
-
|
|
14
|
-
# Compress JavaScripts and CSS
|
|
15
|
-
config.assets.compress = true
|
|
16
|
-
|
|
17
|
-
# Don't fallback to assets pipeline if a precompiled asset is missed
|
|
18
|
-
config.assets.compile = false
|
|
19
|
-
|
|
20
|
-
# Generate digests for assets URLs
|
|
21
|
-
config.assets.digest = true
|
|
22
|
-
|
|
23
|
-
# Defaults to nil and saved in location specified by config.assets.prefix
|
|
24
|
-
# config.assets.manifest = YOUR_PATH
|
|
25
|
-
|
|
26
|
-
# Specifies the header that your server uses for sending files
|
|
27
|
-
# config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
|
|
28
|
-
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
|
|
29
|
-
|
|
30
|
-
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
|
|
31
|
-
# config.force_ssl = true
|
|
32
|
-
|
|
33
|
-
# See everything in the log (default is :info)
|
|
34
|
-
# config.log_level = :debug
|
|
35
|
-
|
|
36
|
-
# Prepend all log lines with the following tags
|
|
37
|
-
# config.log_tags = [ :subdomain, :uuid ]
|
|
38
|
-
|
|
39
|
-
# Use a different logger for distributed setups
|
|
40
|
-
# config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
|
|
41
|
-
|
|
42
|
-
# Use a different cache store in production
|
|
43
|
-
# config.cache_store = :mem_cache_store
|
|
44
|
-
|
|
45
|
-
# Enable serving of images, stylesheets, and JavaScripts from an asset server
|
|
46
|
-
# config.action_controller.asset_host = "http://assets.example.com"
|
|
47
|
-
|
|
48
|
-
# Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
|
|
49
|
-
# config.assets.precompile += %w( search.js )
|
|
50
|
-
|
|
51
|
-
# Disable delivery errors, bad email addresses will be ignored
|
|
52
|
-
# config.action_mailer.raise_delivery_errors = false
|
|
53
|
-
|
|
54
|
-
# Enable threaded mode
|
|
55
|
-
# config.threadsafe!
|
|
56
|
-
|
|
57
|
-
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to
|
|
58
|
-
# the I18n.default_locale when a translation can not be found)
|
|
59
|
-
config.i18n.fallbacks = true
|
|
60
|
-
|
|
61
|
-
# Send deprecation notices to registered listeners
|
|
62
|
-
config.active_support.deprecation = :notify
|
|
63
|
-
|
|
64
|
-
# Log the query plan for queries taking more than this (works
|
|
65
|
-
# with SQLite, MySQL, and PostgreSQL)
|
|
66
|
-
# config.active_record.auto_explain_threshold_in_seconds = 0.5
|
|
67
|
-
end
|
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
# Be sure to restart your server when you modify this file.
|
|
2
|
-
|
|
3
|
-
# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
|
|
4
|
-
# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
|
|
5
|
-
|
|
6
|
-
# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
|
|
7
|
-
# Rails.backtrace_cleaner.remove_silencers!
|
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
# Be sure to restart your server when you modify this file.
|
|
2
|
-
|
|
3
|
-
# Add new inflection rules using the following format
|
|
4
|
-
# (all these examples are active by default):
|
|
5
|
-
# ActiveSupport::Inflector.inflections do |inflect|
|
|
6
|
-
# inflect.plural /^(ox)$/i, '\1en'
|
|
7
|
-
# inflect.singular /^(ox)en/i, '\1'
|
|
8
|
-
# inflect.irregular 'person', 'people'
|
|
9
|
-
# inflect.uncountable %w( fish sheep )
|
|
10
|
-
# end
|
|
11
|
-
#
|
|
12
|
-
# These inflection rules are supported but not enabled by default:
|
|
13
|
-
# ActiveSupport::Inflector.inflections do |inflect|
|
|
14
|
-
# inflect.acronym 'RESTful'
|
|
15
|
-
# end
|
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
# Be sure to restart your server when you modify this file.
|
|
2
|
-
|
|
3
|
-
# Your secret key for verifying the integrity of signed cookies.
|
|
4
|
-
# If you change this key, all old signed cookies will become invalid!
|
|
5
|
-
# Make sure the secret is at least 30 characters and all random,
|
|
6
|
-
# no regular words or you'll be exposed to dictionary attacks.
|
|
7
|
-
Rails3212::Application.config.secret_token = '8dd5aabfbd49f9bce1c5b7dee79d7349cb869f54984ead01f7a272e6f75a58413f621733855906dc9cc249b9486d95583519096d92e77b910f82ba4a90326db7'
|
|
@@ -1,8 +0,0 @@
|
|
|
1
|
-
# Be sure to restart your server when you modify this file.
|
|
2
|
-
|
|
3
|
-
Rails3212::Application.config.session_store :cookie_store, :key => '_rails_3_2_12_session'
|
|
4
|
-
|
|
5
|
-
# Use the database for sessions instead of the cookie-based default,
|
|
6
|
-
# which shouldn't be used to store highly confidential information
|
|
7
|
-
# (create the session table with "rails generate session_migration")
|
|
8
|
-
# Rails3212::Application.config.session_store :active_record_store
|