secure_headers 1.1.1 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (128) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +4 -8
  3. data/.ruby-gemset +1 -0
  4. data/.ruby-version +1 -0
  5. data/.travis.yml +8 -3
  6. data/Gemfile +6 -11
  7. data/README.md +219 -104
  8. data/Rakefile +11 -116
  9. data/fixtures/rails_3_2_12/Gemfile +0 -8
  10. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  11. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
  12. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  13. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
  14. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  15. data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
  16. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +3 -1
  17. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  18. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  19. data/fixtures/rails_3_2_12/config.ru +3 -0
  20. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +57 -19
  21. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +18 -13
  22. data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
  23. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -9
  24. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  25. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  26. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  27. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  28. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
  29. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
  30. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  31. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +17 -12
  32. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +17 -12
  33. data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
  34. data/fixtures/rails_4_1_8/Gemfile +5 -0
  35. data/fixtures/rails_4_1_8/README.rdoc +28 -0
  36. data/fixtures/rails_4_1_8/Rakefile +6 -0
  37. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
  38. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  39. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
  40. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
  41. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  42. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  43. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
  44. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
  45. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
  46. data/fixtures/rails_4_1_8/config/application.rb +15 -0
  47. data/fixtures/rails_4_1_8/config/boot.rb +4 -0
  48. data/fixtures/rails_4_1_8/config/environment.rb +5 -0
  49. data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
  50. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
  51. data/fixtures/rails_4_1_8/config/routes.rb +4 -0
  52. data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
  53. data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
  54. data/fixtures/rails_4_1_8/config.ru +4 -0
  55. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  56. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  57. data/fixtures/rails_4_1_8/log/.keep +0 -0
  58. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
  59. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
  60. data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
  61. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  62. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  63. data/lib/secure_headers/hash_helper.rb +7 -0
  64. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  65. data/lib/secure_headers/headers/content_security_policy.rb +160 -129
  66. data/lib/secure_headers/headers/public_key_pins.rb +95 -0
  67. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  68. data/lib/secure_headers/headers/x_download_options.rb +39 -0
  69. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
  70. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  71. data/lib/secure_headers/padrino.rb +14 -0
  72. data/lib/secure_headers/railtie.rb +19 -24
  73. data/lib/secure_headers/version.rb +1 -1
  74. data/lib/secure_headers/view_helper.rb +68 -0
  75. data/lib/secure_headers.rb +78 -16
  76. data/lib/tasks/tasks.rake +48 -0
  77. data/secure_headers.gemspec +4 -4
  78. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  79. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +127 -220
  80. data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +37 -0
  81. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
  82. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
  83. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
  84. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
  85. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
  86. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
  87. data/spec/lib/secure_headers_spec.rb +115 -73
  88. data/spec/spec_helper.rb +30 -18
  89. metadata +62 -58
  90. data/.rvmrc +0 -1
  91. data/Guardfile +0 -10
  92. data/HISTORY.md +0 -115
  93. data/app/controllers/content_security_policy_controller.rb +0 -75
  94. data/config/curl-ca-bundle.crt +0 -5420
  95. data/config/routes.rb +0 -3
  96. data/fixtures/rails_3_2_12/Guardfile +0 -14
  97. data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
  98. data/fixtures/rails_3_2_12/config/database.yml +0 -25
  99. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  100. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  101. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  102. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  103. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  104. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  105. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  106. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  107. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  108. data/fixtures/rails_3_2_12/db/schema.rb +0 -16
  109. data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
  110. data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
  111. data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
  112. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  113. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  114. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  115. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  116. data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
  117. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  118. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  119. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  120. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  121. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  122. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  123. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  124. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  125. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  126. data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
  127. data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
  128. data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
@@ -0,0 +1,7 @@
1
+ module SecureHeaders
2
+ module HashHelper
3
+ def hash_source(inline_script, digest = :SHA256)
4
+ [digest.to_s.downcase, "-", [[Digest.const_get(digest).hexdigest(inline_script)].pack("H*")].pack("m").chomp].join
5
+ end
6
+ end
7
+ end
@@ -0,0 +1,22 @@
1
+ module SecureHeaders
2
+ class ContentSecurityPolicy
3
+ class ScriptHashMiddleware
4
+ def initialize(app)
5
+ @app = app
6
+ end
7
+
8
+ def call(env)
9
+ status, headers, response = @app.call(env)
10
+ metadata = env[ContentSecurityPolicy::ENV_KEY]
11
+ if !metadata.nil?
12
+ config, options = metadata.values_at(:config, :options)
13
+ config.merge!(:script_hashes => env[HASHES_ENV_KEY])
14
+ csp_header = ContentSecurityPolicy.new(config, options)
15
+ headers[csp_header.name] = csp_header.value
16
+ end
17
+
18
+ [status, headers, response]
19
+ end
20
+ end
21
+ end
22
+ end
@@ -1,79 +1,160 @@
1
1
  require 'uri'
2
+ require 'base64'
3
+ require 'securerandom'
2
4
 
3
5
  module SecureHeaders
4
6
  class ContentSecurityPolicyBuildError < StandardError; end
5
7
  class ContentSecurityPolicy < Header
6
8
  module Constants
7
- DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https://* about: javascript:; img-src data:"
8
- STANDARD_HEADER_NAME = "Content-Security-Policy"
9
- FF_CSP_ENDPOINT = "/content_security_policy/forward_report"
10
- DIRECTIVES = [:default_src, :script_src, :frame_src, :style_src, :img_src, :media_src, :font_src, :object_src, :connect_src]
11
- META = [:enforce, :http_additions, :disable_chrome_extension, :disable_fill_missing, :forward_endpoint]
9
+ DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https: about: javascript:; img-src data:"
10
+ HEADER_NAME = "Content-Security-Policy"
11
+ ENV_KEY = 'secure_headers.content_security_policy'
12
+ DIRECTIVES = [
13
+ :default_src,
14
+ :connect_src,
15
+ :font_src,
16
+ :frame_src,
17
+ :img_src,
18
+ :media_src,
19
+ :object_src,
20
+ :script_src,
21
+ :style_src
22
+ ]
23
+
24
+ NON_DEFAULT_SOURCES = [
25
+ :base_uri,
26
+ :child_src,
27
+ :form_action,
28
+ :frame_ancestors,
29
+ :plugin_types,
30
+ :referrer,
31
+ :reflected_xss
32
+ ]
33
+
34
+ OTHER = [
35
+ :report_uri
36
+ ]
37
+
38
+ SOURCE_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES
39
+
40
+ ALL_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES + OTHER
12
41
  end
13
42
  include Constants
14
43
 
15
- attr_accessor *META
16
- attr_reader :browser, :ssl_request, :report_uri, :request_uri, :experimental
17
-
18
- alias :disable_chrome_extension? :disable_chrome_extension
44
+ attr_reader :disable_fill_missing, :ssl_request
19
45
  alias :disable_fill_missing? :disable_fill_missing
20
46
  alias :ssl_request? :ssl_request
21
47
 
48
+ class << self
49
+ def generate_nonce
50
+ SecureRandom.base64(32).chomp
51
+ end
52
+
53
+ def set_nonce(controller, nonce = generate_nonce)
54
+ controller.instance_variable_set(:@content_security_policy_nonce, nonce)
55
+ end
56
+
57
+ def add_to_env(request, controller, config)
58
+ set_nonce(controller)
59
+ options = options_from_request(request).merge(:controller => controller)
60
+ request.env[Constants::ENV_KEY] = {
61
+ :config => config,
62
+ :options => options,
63
+ }
64
+ end
65
+
66
+ def options_from_request(request)
67
+ {
68
+ :ssl => request.ssl?,
69
+ :ua => request.env['HTTP_USER_AGENT'],
70
+ :request_uri => request_uri_from_request(request),
71
+ }
72
+ end
73
+
74
+ def request_uri_from_request(request)
75
+ if request.respond_to?(:original_url)
76
+ # rails 3.1+
77
+ request.original_url
78
+ else
79
+ # rails 2/3.0
80
+ request.url
81
+ end
82
+ end
83
+
84
+ def symbol_to_hyphen_case sym
85
+ sym.to_s.gsub('_', '-')
86
+ end
87
+ end
88
+
22
89
  # +options+ param contains
23
- # :experimental use experimental block for config
90
+ # :controller used for setting instance variables for nonces/hashes
24
91
  # :ssl_request used to determine if http_additions should be used
25
- # :request_uri used to determine if firefox should send the report directly
26
- # or use the forwarding endpoint
27
92
  # :ua the user agent (or just use Firefox/Chrome/MSIE/etc)
28
93
  #
29
94
  # :report used to determine what :ssl_request, :ua, and :request_uri are set to
30
95
  def initialize(config=nil, options={})
31
- @experimental = !!options.delete(:experimental)
32
- @controller = options.delete(:controller)
96
+ return unless config
97
+
33
98
  if options[:request]
34
- parse_request(options[:request])
35
- else
36
- @ua = options[:ua]
37
- # fails open, assumes http. Bad idea? Will always include http additions.
38
- # could also fail if not supplied.
39
- @ssl_request = !!options.delete(:ssl)
40
- # a nil value here means we always assume we are not on the same host,
41
- # which causes all FF csp reports to go through the forwarder
42
- @request_uri = options.delete(:request_uri)
99
+ options = options.merge(self.class.options_from_request(options[:request]))
43
100
  end
44
101
 
45
- configure(config) if config
46
- end
47
-
48
- def configure(config)
49
- @config = config.dup
50
-
51
- experimental_config = @config.delete(:experimental)
52
- if @experimental && experimental_config
53
- @config[:http_additions] = experimental_config[:http_additions]
54
- @config.merge!(experimental_config)
55
- end
102
+ @controller = options[:controller]
103
+ @ua = options[:ua]
104
+ @ssl_request = !!options.delete(:ssl)
105
+ @request_uri = options.delete(:request_uri)
106
+
107
+ # Config values can be string, array, or lamdba values
108
+ @config = config.inject({}) do |hash, (key, value)|
109
+ config_val = value.respond_to?(:call) ? value.call : value
110
+
111
+ if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
112
+ config_val = config_val.split if config_val.is_a? String
113
+ if config_val.is_a?(Array)
114
+ config_val = config_val.map do |val|
115
+ translate_dir_value(val)
116
+ end.flatten.uniq
117
+ end
118
+ end
56
119
 
57
- META.each do |meta|
58
- self.send("#{meta}=", @config.delete(meta))
120
+ hash[key] = config_val
121
+ hash
59
122
  end
60
123
 
124
+ @http_additions = @config.delete(:http_additions)
125
+ @app_name = @config.delete(:app_name)
61
126
  @report_uri = @config.delete(:report_uri)
62
- @script_nonce = @config.delete(:script_nonce)
63
127
 
64
- normalize_csp_options
65
- normalize_reporting_endpoint
128
+ @disable_fill_missing = !!@config.delete(:disable_fill_missing)
129
+ @enforce = !!@config.delete(:enforce)
130
+ @tag_report_uri = !!@config.delete(:tag_report_uri)
131
+ @script_hashes = @config.delete(:script_hashes) || []
132
+
133
+ add_script_hashes if @script_hashes.any?
66
134
  fill_directives unless disable_fill_missing?
67
135
  end
68
136
 
137
+ ##
138
+ # Return or initialize the nonce value used for this header.
139
+ # If a reference to a controller is passed in the config, this method
140
+ # will check if a nonce has already been set and use it.
141
+ def nonce
142
+ @nonce ||= @controller.instance_variable_get(:@content_security_policy_nonce) || self.class.generate_nonce
143
+ end
144
+
145
+ ##
146
+ # Returns the name to use for the header. Either "Content-Security-Policy" or
147
+ # "Content-Security-Policy-Report-Only"
69
148
  def name
70
- base = STANDARD_HEADER_NAME
71
- if !enforce || experimental
149
+ base = HEADER_NAME
150
+ if !@enforce
72
151
  base += "-Report-Only"
73
152
  end
74
153
  base
75
154
  end
76
155
 
156
+ ##
157
+ # Return the value of the CSP header
77
158
  def value
78
159
  return @config if @config.is_a?(String)
79
160
  if @config
@@ -85,87 +166,52 @@ module SecureHeaders
85
166
 
86
167
  private
87
168
 
169
+ def add_script_hashes
170
+ @config[:script_src] << @script_hashes.map {|hash| "'#{hash}'"} << ["'unsafe-inline'"]
171
+ end
172
+
88
173
  def build_value
89
174
  raise "Expected to find default_src directive value" unless @config[:default_src]
90
175
  append_http_additions unless ssl_request?
91
176
  header_value = [
92
- # ensure default-src is first
93
- build_directive(:default_src),
94
- generic_directives(@config),
95
- report_uri_directive,
96
- script_nonce_directive,
97
- ].join
98
-
99
- #store the value for next time
100
- @config = header_value
101
- header_value.strip
102
- rescue StandardError => e
103
- raise ContentSecurityPolicyBuildError.new("Couldn't build CSP header :( #{e}")
177
+ generic_directives,
178
+ non_default_directives,
179
+ report_uri_directive
180
+ ].join.strip
104
181
  end
105
182
 
106
183
  def fill_directives
107
- return unless @config[:default_src]
108
- default = @config[:default_src]
109
- DIRECTIVES.each do |directive|
110
- unless @config[directive]
111
- @config[directive] = default
184
+ if default = @config[:default_src]
185
+ DIRECTIVES.each do |directive|
186
+ unless @config[directive]
187
+ @config[directive] = default
188
+ end
112
189
  end
113
190
  end
114
- @config
115
191
  end
116
192
 
117
193
  def append_http_additions
118
- return unless http_additions
119
- http_additions.each do |k, v|
194
+ return unless @http_additions
195
+ @http_additions.each do |k, v|
120
196
  @config[k] ||= []
121
197
  @config[k] << v
122
198
  end
123
199
  end
124
200
 
125
- def normalize_csp_options
126
- @config.each do |k,v|
127
- @config[k] = v.split if v.is_a? String
128
- @config[k] = @config[k].map do |val|
129
- translate_dir_value(val)
130
- end
131
- end
132
- end
133
-
134
- # translates 'inline','self', 'none' and 'eval' to their respective impl-specific values.
135
201
  def translate_dir_value val
136
202
  if %w{inline eval}.include?(val)
137
203
  val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
138
- # self/none are special sources/src-dir-values and need to be quoted in chrome
204
+ # self/none are special sources/src-dir-values and need to be quoted
139
205
  elsif %{self none}.include?(val)
140
206
  "'#{val}'"
207
+ elsif val == 'nonce'
208
+ self.class.set_nonce(@controller, nonce)
209
+ ["'nonce-#{nonce}'", "'unsafe-inline'"]
141
210
  else
142
211
  val
143
212
  end
144
213
  end
145
214
 
146
- # if we have a forwarding endpoint setup and we are not on the same origin as our report_uri
147
- # or only a path was supplied (in which case we assume cross-host)
148
- # we need to forward the request for Firefox.
149
- def normalize_reporting_endpoint
150
- if @ua && @ua =~ /Firefox/
151
- if same_origin? || report_uri.nil? || URI.parse(report_uri).host.nil?
152
- return
153
- end
154
-
155
- if forward_endpoint
156
- @report_uri = FF_CSP_ENDPOINT
157
- end
158
- end
159
- end
160
-
161
- def same_origin?
162
- return unless report_uri && request_uri
163
-
164
- origin = URI.parse(request_uri)
165
- uri = URI.parse(report_uri)
166
- uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
167
- end
168
-
169
215
  def report_uri_directive
170
216
  return '' if @report_uri.nil?
171
217
 
@@ -177,55 +223,40 @@ module SecureHeaders
177
223
  end
178
224
  end
179
225
 
180
- "report-uri #{@report_uri};"
181
- end
226
+ if @tag_report_uri
227
+ @report_uri = "#{@report_uri}?enforce=#{@enforce}"
228
+ @report_uri += "&app_name=#{@app_name}" if @app_name
229
+ end
182
230
 
183
- def script_nonce_directive
184
- return '' if @script_nonce.nil?
185
- nonce_value = if @script_nonce.is_a?(String)
186
- @script_nonce
187
- elsif @controller
188
- @controller.instance_exec(&@script_nonce)
189
- else
190
- @script_nonce.call
191
- end
192
- "script-nonce #{nonce_value};"
231
+ "report-uri #{@report_uri};"
193
232
  end
194
233
 
195
- def generic_directives(config)
234
+ def generic_directives
196
235
  header_value = ''
197
- if config[:img_src]
198
- config[:img_src] = config[:img_src] + ['data:'] unless config[:img_src].include?('data:')
236
+ if @config[:img_src]
237
+ @config[:img_src] = @config[:img_src] + ['data:'] unless @config[:img_src].include?('data:')
199
238
  else
200
- config[:img_src] = ['data:']
239
+ @config[:img_src] = @config[:default_src] + ['data:']
201
240
  end
202
241
 
203
- config.keys.sort_by{|k| k.to_s}.each do |k| # ensure consistent ordering
204
- header_value += build_directive(k)
242
+ DIRECTIVES.each do |directive_name|
243
+ header_value += build_directive(directive_name) if @config[directive_name]
205
244
  end
206
245
 
207
246
  header_value
208
247
  end
209
248
 
210
- # build and deletes the directive
211
- def build_directive(key)
212
- "#{symbol_to_hyphen_case(key)} #{@config.delete(key).join(" ")}; "
213
- end
249
+ def non_default_directives
250
+ header_value = ''
251
+ NON_DEFAULT_SOURCES.each do |directive_name|
252
+ header_value += build_directive(directive_name) if @config[directive_name]
253
+ end
214
254
 
215
- def symbol_to_hyphen_case sym
216
- sym.to_s.gsub('_', '-')
255
+ header_value
217
256
  end
218
257
 
219
- def parse_request request
220
- @ssl_request = request.ssl?
221
- @ua = request.env['HTTP_USER_AGENT']
222
- @request_uri = if request.respond_to?(:original_url)
223
- # rails 3.1+
224
- request.original_url
225
- else
226
- # rails 2/3.0
227
- request.url
228
- end
258
+ def build_directive(key)
259
+ "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
229
260
  end
230
261
  end
231
262
  end
@@ -0,0 +1,95 @@
1
+ module SecureHeaders
2
+ class PublicKeyPinsBuildError < StandardError; end
3
+ class PublicKeyPins < Header
4
+ module Constants
5
+ HPKP_HEADER_NAME = "Public-Key-Pins"
6
+ ENV_KEY = 'secure_headers.public_key_pins'
7
+ HASH_ALGORITHMS = [:sha256]
8
+ DIRECTIVES = [:max_age]
9
+ end
10
+ class << self
11
+ def symbol_to_hyphen_case sym
12
+ sym.to_s.gsub('_', '-')
13
+ end
14
+ end
15
+ include Constants
16
+
17
+ def initialize(config=nil)
18
+ @config = validate_config(config)
19
+
20
+ @pins = @config.fetch(:pins, nil)
21
+ @report_uri = @config.fetch(:report_uri, nil)
22
+ @app_name = @config.fetch(:app_name, nil)
23
+ @enforce = !!@config.fetch(:enforce, nil)
24
+ @include_subdomains = !!@config.fetch(:include_subdomains, nil)
25
+ @tag_report_uri = !!@config.fetch(:tag_report_uri, nil)
26
+ end
27
+
28
+ def name
29
+ base = HPKP_HEADER_NAME
30
+ if !@enforce
31
+ base += "-Report-Only"
32
+ end
33
+ base
34
+ end
35
+
36
+ def value
37
+ header_value = [
38
+ generic_directives,
39
+ pin_directives,
40
+ report_uri_directive,
41
+ subdomain_directive
42
+ ].compact.join('; ').strip
43
+ end
44
+
45
+ def validate_config(config)
46
+ raise PublicKeyPinsBuildError.new("config must be a hash.") unless config.is_a? Hash
47
+
48
+ if !config[:max_age]
49
+ raise PublicKeyPinsBuildError.new("max-age is a required directive.")
50
+ elsif config[:max_age].to_s !~ /\A\d+\z/
51
+ raise PublicKeyPinsBuildError.new("max-age must be a number.
52
+ #{config[:max_age]} was supplied.")
53
+ elsif config[:pins] && config[:pins].length < 2
54
+ raise PublicKeyPinsBuildError.new("A minimum of 2 pins are required.")
55
+ end
56
+
57
+ config
58
+ end
59
+
60
+ def pin_directives
61
+ return nil if @pins.nil?
62
+ @pins.collect do |pin|
63
+ pin.map do |token, hash|
64
+ "pin-#{token}=\"#{hash}\"" if HASH_ALGORITHMS.include?(token)
65
+ end
66
+ end.join('; ')
67
+ end
68
+
69
+ def generic_directives
70
+ DIRECTIVES.collect do |directive_name|
71
+ build_directive(directive_name) if @config[directive_name]
72
+ end.join('; ')
73
+ end
74
+
75
+ def build_directive(key)
76
+ "#{self.class.symbol_to_hyphen_case(key)}=#{@config[key]}"
77
+ end
78
+
79
+ def report_uri_directive
80
+ return nil if @report_uri.nil?
81
+
82
+ if @tag_report_uri
83
+ @report_uri = "#{@report_uri}?enforce=#{@enforce}"
84
+ @report_uri += "&app_name=#{@app_name}" if @app_name
85
+ end
86
+
87
+ "report-uri=\"#{@report_uri}\""
88
+ end
89
+
90
+
91
+ def subdomain_directive
92
+ @include_subdomains ? 'includeSubDomains' : nil
93
+ end
94
+ end
95
+ end
@@ -6,7 +6,7 @@ module SecureHeaders
6
6
  HSTS_HEADER_NAME = 'Strict-Transport-Security'
7
7
  HSTS_MAX_AGE = "631138519"
8
8
  DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
9
- VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?\z/i
9
+ VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
10
10
  MESSAGE = "The config value supplied for the HSTS header was invalid."
11
11
  end
12
12
  include Constants
@@ -31,6 +31,7 @@ module SecureHeaders
31
31
  max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
32
32
  value = "max-age=" + max_age.to_s
33
33
  value += "; includeSubdomains" if @config[:include_subdomains]
34
+ value += "; preload" if @config[:preload]
34
35
 
35
36
  value
36
37
  end
@@ -0,0 +1,39 @@
1
+ module SecureHeaders
2
+ class XDOBuildError < StandardError; end
3
+ class XDownloadOptions < Header
4
+ module Constants
5
+ XDO_HEADER_NAME = "X-Download-Options"
6
+ DEFAULT_VALUE = 'noopen'
7
+ end
8
+ include Constants
9
+
10
+ def initialize(config = nil)
11
+ @config = config
12
+ validate_config unless @config.nil?
13
+ end
14
+
15
+ def name
16
+ XDO_HEADER_NAME
17
+ end
18
+
19
+ def value
20
+ case @config
21
+ when NilClass
22
+ DEFAULT_VALUE
23
+ when String
24
+ @config
25
+ else
26
+ @config[:value]
27
+ end
28
+ end
29
+
30
+ private
31
+
32
+ def validate_config
33
+ value = @config.is_a?(Hash) ? @config[:value] : @config
34
+ unless value.casecmp(DEFAULT_VALUE) == 0
35
+ raise XDOBuildError.new("Value can only be nil or 'noopen'")
36
+ end
37
+ end
38
+ end
39
+ end
@@ -0,0 +1,40 @@
1
+ module SecureHeaders
2
+ class XPCDPBuildError < StandardError; end
3
+ class XPermittedCrossDomainPolicies < Header
4
+ module Constants
5
+ XPCDP_HEADER_NAME = "X-Permitted-Cross-Domain-Policies"
6
+ DEFAULT_VALUE = 'none'
7
+ VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
8
+ end
9
+ include Constants
10
+
11
+ def initialize(config = nil)
12
+ @config = config
13
+ validate_config unless @config.nil?
14
+ end
15
+
16
+ def name
17
+ XPCDP_HEADER_NAME
18
+ end
19
+
20
+ def value
21
+ case @config
22
+ when NilClass
23
+ DEFAULT_VALUE
24
+ when String
25
+ @config
26
+ else
27
+ @config[:value]
28
+ end
29
+ end
30
+
31
+ private
32
+
33
+ def validate_config
34
+ value = @config.is_a?(Hash) ? @config[:value] : @config
35
+ unless VALID_POLICIES.include?(value.downcase)
36
+ raise XPCDPBuildError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
37
+ end
38
+ end
39
+ end
40
+ end
@@ -4,7 +4,7 @@ module SecureHeaders
4
4
  module Constants
5
5
  X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
6
6
  DEFAULT_VALUE = "1"
7
- VALID_X_XSS_HEADER = /\A[01](; mode=block)?\z/i
7
+ VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
8
8
  end
9
9
  include Constants
10
10
 
@@ -26,6 +26,7 @@ module SecureHeaders
26
26
  else
27
27
  value = @config[:value].to_s
28
28
  value += "; mode=#{@config[:mode]}" if @config[:mode]
29
+ value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
29
30
  value
30
31
  end
31
32
  end
@@ -0,0 +1,14 @@
1
+ module SecureHeaders
2
+ module Padrino
3
+ class << self
4
+ ##
5
+ # Main class that register this extension.
6
+ #
7
+ def registered(app)
8
+ app.extend SecureHeaders::ClassMethods
9
+ app.helpers SecureHeaders::InstanceMethods
10
+ end
11
+ alias :included :registered
12
+ end
13
+ end
14
+ end