secure_headers 1.1.1 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +4 -8
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +8 -3
- data/Gemfile +6 -11
- data/README.md +184 -101
- data/Rakefile +11 -116
- data/fixtures/rails_3_2_12/Gemfile +0 -8
- data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
- data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +0 -54
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +3 -1
- data/fixtures/rails_3_2_12/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
- data/fixtures/rails_3_2_12/config.ru +3 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +57 -19
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +18 -13
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -9
- data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
- data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
- data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
- data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +17 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +17 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
- data/fixtures/rails_4_1_8/Gemfile +5 -0
- data/fixtures/rails_4_1_8/README.rdoc +28 -0
- data/fixtures/rails_4_1_8/Rakefile +6 -0
- data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
- data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/models/.keep +0 -0
- data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
- data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
- data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
- data/fixtures/rails_4_1_8/config/application.rb +15 -0
- data/fixtures/rails_4_1_8/config/boot.rb +4 -0
- data/fixtures/rails_4_1_8/config/environment.rb +5 -0
- data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
- data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
- data/fixtures/rails_4_1_8/config/routes.rb +4 -0
- data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
- data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
- data/fixtures/rails_4_1_8/config.ru +4 -0
- data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
- data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
- data/fixtures/rails_4_1_8/log/.keep +0 -0
- data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
- data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
- data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
- data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
- data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
- data/lib/secure_headers/hash_helper.rb +7 -0
- data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
- data/lib/secure_headers/headers/content_security_policy.rb +154 -129
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/padrino.rb +14 -0
- data/lib/secure_headers/railtie.rb +19 -24
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers/view_helper.rb +68 -0
- data/lib/secure_headers.rb +65 -16
- data/lib/tasks/tasks.rake +48 -0
- data/secure_headers.gemspec +4 -4
- data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +127 -220
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
- data/spec/lib/secure_headers_spec.rb +69 -68
- data/spec/spec_helper.rb +29 -18
- metadata +51 -46
- data/.rvmrc +0 -1
- data/Guardfile +0 -10
- data/HISTORY.md +0 -115
- data/app/controllers/content_security_policy_controller.rb +0 -75
- data/config/curl-ca-bundle.crt +0 -5420
- data/config/routes.rb +0 -3
- data/fixtures/rails_3_2_12/Guardfile +0 -14
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
- data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
- data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
- data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
|
@@ -4,45 +4,50 @@ require 'spec_helper'
|
|
|
4
4
|
# all values are defaulted because no initializer is configured, and the values in app controller
|
|
5
5
|
# only provide csp => false
|
|
6
6
|
|
|
7
|
-
describe ThingsController do
|
|
7
|
+
describe ThingsController, :type => :controller do
|
|
8
8
|
describe "headers" do
|
|
9
|
-
before(:each) do
|
|
10
|
-
# Chrome
|
|
11
|
-
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
|
12
|
-
end
|
|
13
|
-
|
|
14
9
|
it "sets the X-XSS-Protection header" do
|
|
15
10
|
get :index
|
|
16
|
-
response.headers['X-XSS-Protection'].
|
|
11
|
+
expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
|
|
17
12
|
end
|
|
18
13
|
|
|
19
14
|
it "sets the X-Frame-Options header" do
|
|
20
15
|
get :index
|
|
21
|
-
response.headers['X-Frame-Options'].
|
|
16
|
+
expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
|
|
22
17
|
end
|
|
23
18
|
|
|
24
19
|
it "sets the X-WebKit-CSP header" do
|
|
25
20
|
get :index
|
|
26
|
-
response.headers['Content-Security-Policy-Report-Only'].
|
|
21
|
+
expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
|
|
27
22
|
end
|
|
28
23
|
|
|
29
24
|
#mock ssl
|
|
30
25
|
it "sets the Strict-Transport-Security header" do
|
|
31
26
|
request.env['HTTPS'] = 'on'
|
|
32
27
|
get :index
|
|
33
|
-
response.headers['Strict-Transport-Security'].
|
|
28
|
+
expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
it "sets the X-Download-Options header" do
|
|
32
|
+
get :index
|
|
33
|
+
expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
it "sets the X-Content-Type-Options header" do
|
|
37
37
|
get :index
|
|
38
|
-
response.headers['X-Content-Type-Options'].
|
|
38
|
+
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
it "sets the X-Permitted-Cross-Domain-Policies" do
|
|
42
|
+
get :index
|
|
43
|
+
expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
|
|
39
44
|
end
|
|
40
45
|
|
|
41
46
|
context "using IE" do
|
|
42
47
|
it "sets the X-Content-Type-Options header" do
|
|
43
48
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
|
44
49
|
get :index
|
|
45
|
-
response.headers['X-Content-Type-Options'].
|
|
50
|
+
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
|
46
51
|
end
|
|
47
52
|
end
|
|
48
53
|
end
|
|
@@ -1,20 +1,5 @@
|
|
|
1
1
|
require 'rubygems'
|
|
2
|
-
require 'spork'
|
|
3
|
-
#uncomment the following line to use spork with the debugger
|
|
4
|
-
#require 'spork/ext/ruby-debug'
|
|
5
2
|
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
# need to restart spork for it take effect.
|
|
10
|
-
# This file is copied to spec/ when you run 'rails generate rspec:install'
|
|
11
|
-
ENV["RAILS_ENV"] ||= 'test'
|
|
12
|
-
require File.expand_path("../../config/environment", __FILE__)
|
|
13
|
-
require 'rspec/rails'
|
|
14
|
-
require 'rspec/autorun'
|
|
15
|
-
# require 'ruby-debug'
|
|
16
|
-
end
|
|
17
|
-
|
|
18
|
-
Spork.each_run do
|
|
19
|
-
|
|
20
|
-
end
|
|
3
|
+
ENV["RAILS_ENV"] ||= 'test'
|
|
4
|
+
require File.expand_path("../../config/environment", __FILE__)
|
|
5
|
+
require 'rspec/rails'
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
== README
|
|
2
|
+
|
|
3
|
+
This README would normally document whatever steps are necessary to get the
|
|
4
|
+
application up and running.
|
|
5
|
+
|
|
6
|
+
Things you may want to cover:
|
|
7
|
+
|
|
8
|
+
* Ruby version
|
|
9
|
+
|
|
10
|
+
* System dependencies
|
|
11
|
+
|
|
12
|
+
* Configuration
|
|
13
|
+
|
|
14
|
+
* Database creation
|
|
15
|
+
|
|
16
|
+
* Database initialization
|
|
17
|
+
|
|
18
|
+
* How to run the test suite
|
|
19
|
+
|
|
20
|
+
* Services (job queues, cache servers, search engines, etc.)
|
|
21
|
+
|
|
22
|
+
* Deployment instructions
|
|
23
|
+
|
|
24
|
+
* ...
|
|
25
|
+
|
|
26
|
+
|
|
27
|
+
Please feel free to use a different markup language if you do not plan to run
|
|
28
|
+
<tt>rake doc:app</tt>.
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
things
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
require File.expand_path('../boot', __FILE__)
|
|
2
|
+
|
|
3
|
+
require "action_controller/railtie"
|
|
4
|
+
require "sprockets/railtie"
|
|
5
|
+
|
|
6
|
+
# Require the gems listed in Gemfile, including any gems
|
|
7
|
+
# you've limited to :test, :development, or :production.
|
|
8
|
+
Bundler.require(*Rails.groups)
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
module Rails418
|
|
12
|
+
class Application < Rails::Application
|
|
13
|
+
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
Rails418::Application.configure do
|
|
2
|
+
config.cache_classes = true
|
|
3
|
+
config.eager_load = false
|
|
4
|
+
config.serve_static_assets = true
|
|
5
|
+
config.static_cache_control = 'public, max-age=3600'
|
|
6
|
+
config.consider_all_requests_local = true
|
|
7
|
+
config.action_controller.perform_caching = false
|
|
8
|
+
config.action_dispatch.show_exceptions = false
|
|
9
|
+
config.action_controller.allow_forgery_protection = false
|
|
10
|
+
end
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
::SecureHeaders::Configuration.configure do |config|
|
|
2
|
+
config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
|
|
3
|
+
config.x_frame_options = 'DENY'
|
|
4
|
+
config.x_content_type_options = "nosniff"
|
|
5
|
+
config.x_xss_protection = {:value => 0}
|
|
6
|
+
config.x_permitted_cross_domain_policies = 'none'
|
|
7
|
+
csp = {
|
|
8
|
+
:default_src => "self",
|
|
9
|
+
:script_src => "self nonce",
|
|
10
|
+
:disable_fill_missing => true,
|
|
11
|
+
:report_uri => 'somewhere',
|
|
12
|
+
:script_hash_middleware => true,
|
|
13
|
+
:enforce => false # false means warnings only
|
|
14
|
+
}
|
|
15
|
+
|
|
16
|
+
config.csp = csp
|
|
17
|
+
end
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
# Be sure to restart your server when you modify this file.
|
|
2
|
+
|
|
3
|
+
# Your secret key is used for verifying the integrity of signed cookies.
|
|
4
|
+
# If you change this key, all old signed cookies will become invalid!
|
|
5
|
+
|
|
6
|
+
# Make sure the secret is at least 30 characters and all random,
|
|
7
|
+
# no regular words or you'll be exposed to dictionary attacks.
|
|
8
|
+
# You can use `rake secret` to generate a secure secret key.
|
|
9
|
+
|
|
10
|
+
# Make sure the secrets in this file are kept private
|
|
11
|
+
# if you're sharing your code publicly.
|
|
12
|
+
|
|
13
|
+
development:
|
|
14
|
+
secret_key_base: ddba38f932720d8f18257f2a05dc278963a29cf569c45aa97ff4e9fc9bbc78af5a03fcf135caad45caee66ac09f8f9913c1f5e338a61213f420eefa8dd6363d2
|
|
15
|
+
|
|
16
|
+
test:
|
|
17
|
+
secret_key_base: f73abd7eab84fa7af5a2fc0a9c2727c5bad47433e51aa0c9c6b0782dac176a8e7f337e1f93adc6d6fc17027e67a533040b6408e54d72dea2eec6e5b9820dbcb9
|
|
18
|
+
|
|
19
|
+
# Do not keep production secrets in the repository,
|
|
20
|
+
# instead read values from the environment.
|
|
21
|
+
production:
|
|
22
|
+
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
require 'secure_headers/headers/content_security_policy/script_hash_middleware'
|
|
4
|
+
|
|
5
|
+
describe OtherThingsController, :type => :controller do
|
|
6
|
+
include Rack::Test::Methods
|
|
7
|
+
|
|
8
|
+
def app
|
|
9
|
+
OtherThingsController.action(:index)
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def request(opts = {})
|
|
13
|
+
options = opts.merge(
|
|
14
|
+
{
|
|
15
|
+
'HTTPS' => 'on',
|
|
16
|
+
'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
|
17
|
+
}
|
|
18
|
+
)
|
|
19
|
+
|
|
20
|
+
|
|
21
|
+
Rack::MockRequest.env_for('/', options)
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
|
|
25
|
+
describe "headers" do
|
|
26
|
+
before(:each) do
|
|
27
|
+
_, @env = app.call(request)
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
it "sets the X-XSS-Protection header" do
|
|
31
|
+
get '/'
|
|
32
|
+
expect(@env['X-XSS-Protection']).to eq('0')
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
it "sets the X-Frame-Options header" do
|
|
36
|
+
get '/'
|
|
37
|
+
expect(@env['X-Frame-Options']).to eq('DENY')
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
it "sets the CSP header with a local reference to a nonce" do
|
|
41
|
+
middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
|
|
42
|
+
_, env = middleware.call(request(@env))
|
|
43
|
+
expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
it "sets the required hashes to whitelist inline script" do
|
|
47
|
+
middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
|
|
48
|
+
_, env = middleware.call(request(@env))
|
|
49
|
+
hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
|
|
50
|
+
hashes.each do |hash|
|
|
51
|
+
expect(env['Content-Security-Policy-Report-Only']).to include(hash)
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
it "sets the Strict-Transport-Security header" do
|
|
56
|
+
get '/'
|
|
57
|
+
expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
it "sets the X-Download-Options header" do
|
|
61
|
+
get '/'
|
|
62
|
+
expect(@env['X-Download-Options']).to eq('noopen')
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
it "sets the X-Content-Type-Options header" do
|
|
66
|
+
get '/'
|
|
67
|
+
expect(@env['X-Content-Type-Options']).to eq("nosniff")
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
it "sets the X-Permitted-Cross-Domain-Policies" do
|
|
71
|
+
get '/'
|
|
72
|
+
expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
context "using IE" do
|
|
76
|
+
it "sets the X-Content-Type-Options header" do
|
|
77
|
+
@env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
|
78
|
+
get '/'
|
|
79
|
+
expect(@env['X-Content-Type-Options']).to eq("nosniff")
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
end
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
# config.action_dispatch.default_headers defaults to:
|
|
2
|
+
# {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff"}
|
|
3
|
+
# so we want to set our specs to expect something else to ensure secureheaders is taking precedence
|
|
4
|
+
|
|
5
|
+
require 'spec_helper'
|
|
6
|
+
|
|
7
|
+
# This controller is meant to be something that inherits config from application controller
|
|
8
|
+
# all values are defaulted because no initializer is configured, and the values in app controller
|
|
9
|
+
# only provide csp => false
|
|
10
|
+
|
|
11
|
+
describe ThingsController, :type => :controller do
|
|
12
|
+
|
|
13
|
+
describe "headers" do
|
|
14
|
+
it "sets the X-XSS-Protection header" do
|
|
15
|
+
get :index
|
|
16
|
+
expect(response.headers['X-XSS-Protection']).to eq('0')
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
it "sets the X-Frame-Options header" do
|
|
20
|
+
get :index
|
|
21
|
+
expect(response.headers['X-Frame-Options']).to eq('DENY')
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
it "does not set CSP header" do
|
|
25
|
+
get :index
|
|
26
|
+
expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
#mock ssl
|
|
30
|
+
it "sets the Strict-Transport-Security header" do
|
|
31
|
+
request.env['HTTPS'] = 'on'
|
|
32
|
+
get :index
|
|
33
|
+
expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
it "sets the X-Download-Options header" do
|
|
37
|
+
get :index
|
|
38
|
+
expect(response.headers['X-Download-Options']).to eq('noopen')
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
it "sets the X-Content-Type-Options header" do
|
|
42
|
+
get :index
|
|
43
|
+
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
it "sets the X-Permitted-Cross-Domain-Policies" do
|
|
47
|
+
get :index
|
|
48
|
+
expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
context "using IE" do
|
|
52
|
+
it "sets the X-Content-Type-Options header" do
|
|
53
|
+
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
|
54
|
+
get :index
|
|
55
|
+
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
require 'rubygems'
|
|
2
|
+
|
|
3
|
+
#uncomment the following line to use spork with the debugger
|
|
4
|
+
#require 'spork/ext/ruby-debug'
|
|
5
|
+
|
|
6
|
+
# Spork.prefork do
|
|
7
|
+
# Loading more in this block will cause your tests to run faster. However,
|
|
8
|
+
# if you change any configuration or code from libraries loaded here, you'll
|
|
9
|
+
# need to restart spork for it take effect.
|
|
10
|
+
# This file is copied to spec/ when you run 'rails generate rspec:install'
|
|
11
|
+
ENV["RAILS_ENV"] ||= 'test'
|
|
12
|
+
require File.expand_path("../../config/environment", __FILE__)
|
|
13
|
+
require 'rspec/rails'
|
|
14
|
+
# end
|
|
15
|
+
|
|
File without changes
|
|
File without changes
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
module SecureHeaders
|
|
2
|
+
class ContentSecurityPolicy
|
|
3
|
+
class ScriptHashMiddleware
|
|
4
|
+
def initialize(app)
|
|
5
|
+
@app = app
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
def call(env)
|
|
9
|
+
status, headers, response = @app.call(env)
|
|
10
|
+
metadata = env[ContentSecurityPolicy::ENV_KEY]
|
|
11
|
+
if !metadata.nil?
|
|
12
|
+
config, options = metadata.values_at(:config, :options)
|
|
13
|
+
config.merge!(:script_hashes => env[HASHES_ENV_KEY])
|
|
14
|
+
csp_header = ContentSecurityPolicy.new(config, options)
|
|
15
|
+
headers[csp_header.name] = csp_header.value
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
[status, headers, response]
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|