secure_headers 1.3.0 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.travis.yml +0 -3
- data/Gemfile +2 -3
- data/HISTORY.md +35 -0
- data/README.md +19 -1
- data/app/controllers/content_security_policy_controller.rb +1 -0
- data/fixtures/rails_3_2_12/Gemfile +0 -6
- data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +0 -3
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +0 -54
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +5 -0
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +5 -0
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -7
- data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
- data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
- data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +5 -0
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +5 -0
- data/lib/secure_headers/headers/content_security_policy.rb +19 -5
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/railtie.rb +6 -2
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers.rb +9 -2
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -0
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +1 -0
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -1
- data/spec/lib/secure_headers_spec.rb +28 -2
- data/spec/spec_helper.rb +1 -0
- metadata +12 -36
- checksums.yaml +0 -15
- data/Guardfile +0 -6
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
- data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
- data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
data/.travis.yml
CHANGED
data/Gemfile
CHANGED
|
@@ -6,9 +6,8 @@ group :test do
|
|
|
6
6
|
gem 'rails', '3.2.12'
|
|
7
7
|
gem 'sqlite3', :platform => [:ruby, :mswin, :mingw]
|
|
8
8
|
gem 'jdbc-sqlite3', :platform => :jruby
|
|
9
|
-
gem 'rspec-rails'
|
|
10
|
-
gem 'rspec'
|
|
11
|
-
gem 'guard-rspec', :platform => :ruby_19
|
|
9
|
+
gem 'rspec-rails', '>= 3.1'
|
|
10
|
+
gem 'rspec', '>= 3.1'
|
|
12
11
|
gem 'growl'
|
|
13
12
|
gem 'rb-fsevent'
|
|
14
13
|
gem 'debugger', :platform => :ruby_19
|
data/HISTORY.md
CHANGED
|
@@ -1,3 +1,38 @@
|
|
|
1
|
+
1.3.4
|
|
2
|
+
======
|
|
3
|
+
|
|
4
|
+
* Adds X-Download-Options support
|
|
5
|
+
* Adds support for X-XSS-Protection reporting
|
|
6
|
+
* Defers loading of rails engine for faster boot times
|
|
7
|
+
|
|
8
|
+
1.3.3
|
|
9
|
+
======
|
|
10
|
+
|
|
11
|
+
@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
|
|
12
|
+
|
|
13
|
+
This just adds a new 'preload' option to the HSTS settings to specify that option.
|
|
14
|
+
|
|
15
|
+
1.3.2
|
|
16
|
+
======
|
|
17
|
+
|
|
18
|
+
Adds the ability to "tag" requests and a new config value: :app_name
|
|
19
|
+
|
|
20
|
+
{
|
|
21
|
+
:tag_report_uri => true,
|
|
22
|
+
:enforce => true,
|
|
23
|
+
:app_name => 'twitter',
|
|
24
|
+
:report_uri => 'csp_reports'
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
Results in
|
|
28
|
+
report-uri csp_reports?enforce=true&app_name=twitter
|
|
29
|
+
|
|
30
|
+
|
|
31
|
+
1.3.1
|
|
32
|
+
======
|
|
33
|
+
|
|
34
|
+
Bugfix release: same-origin detection would error out when the URL containined invalid values (like |)
|
|
35
|
+
|
|
1
36
|
1.3.0
|
|
2
37
|
======
|
|
3
38
|
|
data/README.md
CHANGED
|
@@ -197,6 +197,24 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
|
197
197
|
"default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
|
|
198
198
|
```
|
|
199
199
|
|
|
200
|
+
### Tagging Requests
|
|
201
|
+
|
|
202
|
+
It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
|
|
203
|
+
|
|
204
|
+
```ruby
|
|
205
|
+
{
|
|
206
|
+
:tag_report_uri => true,
|
|
207
|
+
:enforce => true,
|
|
208
|
+
:app_name => 'twitter',
|
|
209
|
+
:report_uri => 'csp_reports'
|
|
210
|
+
}
|
|
211
|
+
```
|
|
212
|
+
|
|
213
|
+
Results in
|
|
214
|
+
```
|
|
215
|
+
report-uri csp_reports?enforce=true&app_name=twitter
|
|
216
|
+
```
|
|
217
|
+
|
|
200
218
|
### CSP Level 2 features
|
|
201
219
|
|
|
202
220
|
script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.
|
|
@@ -350,6 +368,6 @@ end
|
|
|
350
368
|
|
|
351
369
|
## License
|
|
352
370
|
|
|
353
|
-
Copyright 2013 Twitter, Inc.
|
|
371
|
+
Copyright 2013-2014 Twitter, Inc and other contributors.
|
|
354
372
|
|
|
355
373
|
Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
|
|
@@ -5,6 +5,7 @@ class ContentSecurityPolicyController < ActionController::Base
|
|
|
5
5
|
CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
|
|
6
6
|
|
|
7
7
|
def scribe
|
|
8
|
+
warn "[DEPRECATION] ContentSecurityPolicyController is removed in 2.0"
|
|
8
9
|
csp = ::SecureHeaders::Configuration.csp || {}
|
|
9
10
|
|
|
10
11
|
forward_endpoint = csp[:forward_endpoint]
|
|
@@ -1,12 +1,6 @@
|
|
|
1
1
|
source 'https://rubygems.org'
|
|
2
2
|
|
|
3
3
|
gem 'rails', '3.2.12'
|
|
4
|
-
gem 'sqlite3'
|
|
5
4
|
gem 'rspec-rails', '>= 2.0.0'
|
|
6
5
|
gem 'secure_headers', :path => '../..'
|
|
7
|
-
gem 'debugger', :platform => :ruby_19
|
|
8
|
-
gem 'ruby-debug', :platform => :ruby_18
|
|
9
|
-
gem 'guard-rspec'
|
|
10
|
-
gem 'rb-fsevent'
|
|
11
|
-
gem 'growl'
|
|
12
6
|
|
|
@@ -1,21 +1 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
<table>
|
|
4
|
-
<tr>
|
|
5
|
-
<th></th>
|
|
6
|
-
<th></th>
|
|
7
|
-
<th></th>
|
|
8
|
-
</tr>
|
|
9
|
-
|
|
10
|
-
<% @things.each do |thing| %>
|
|
11
|
-
<tr>
|
|
12
|
-
<td><%= link_to 'Show', thing %></td>
|
|
13
|
-
<td><%= link_to 'Edit', edit_thing_path(thing) %></td>
|
|
14
|
-
<td><%= link_to 'Destroy', thing, method: :delete, data: { confirm: 'Are you sure?' } %></td>
|
|
15
|
-
</tr>
|
|
16
|
-
<% end %>
|
|
17
|
-
</table>
|
|
18
|
-
|
|
19
|
-
<br />
|
|
20
|
-
|
|
21
|
-
<%= link_to 'New Thing', new_thing_path %>
|
|
1
|
+
things
|
|
@@ -1,68 +1,14 @@
|
|
|
1
1
|
require File.expand_path('../boot', __FILE__)
|
|
2
2
|
|
|
3
|
-
# Pick the frameworks you want:
|
|
4
|
-
require "active_record/railtie"
|
|
5
3
|
require "action_controller/railtie"
|
|
6
|
-
require "action_mailer/railtie"
|
|
7
|
-
require "active_resource/railtie"
|
|
8
4
|
require "sprockets/railtie"
|
|
9
|
-
# require "rails/test_unit/railtie"
|
|
10
5
|
|
|
11
6
|
if defined?(Bundler)
|
|
12
|
-
# If you precompile assets before deploying to production, use this line
|
|
13
7
|
Bundler.require(*Rails.groups(:assets => %w(development test)))
|
|
14
|
-
# If you want your assets lazily compiled in production, use this line
|
|
15
|
-
# Bundler.require(:default, :assets, Rails.env)
|
|
16
8
|
end
|
|
17
9
|
|
|
18
10
|
module Rails3212
|
|
19
11
|
class Application < Rails::Application
|
|
20
|
-
# Settings in config/environments/* take precedence over those specified here.
|
|
21
|
-
# Application configuration should go into files in config/initializers
|
|
22
|
-
# -- all .rb files in that directory are automatically loaded.
|
|
23
12
|
|
|
24
|
-
# Custom directories with classes and modules you want to be autoloadable.
|
|
25
|
-
# config.autoload_paths += %W(#{config.root}/extras)
|
|
26
|
-
|
|
27
|
-
# Only load the plugins named here, in the order given (default is alphabetical).
|
|
28
|
-
# :all can be used as a placeholder for all plugins not explicitly named.
|
|
29
|
-
# config.plugins = [ :exception_notification, :ssl_requirement, :all ]
|
|
30
|
-
|
|
31
|
-
# Activate observers that should always be running.
|
|
32
|
-
# config.active_record.observers = :cacher, :garbage_collector, :forum_observer
|
|
33
|
-
|
|
34
|
-
# Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
|
|
35
|
-
# Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
|
|
36
|
-
# config.time_zone = 'Central Time (US & Canada)'
|
|
37
|
-
|
|
38
|
-
# The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
|
|
39
|
-
# config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
|
|
40
|
-
# config.i18n.default_locale = :de
|
|
41
|
-
|
|
42
|
-
# Configure the default encoding used in templates for Ruby 1.9.
|
|
43
|
-
config.encoding = "utf-8"
|
|
44
|
-
|
|
45
|
-
# Configure sensitive parameters which will be filtered from the log file.
|
|
46
|
-
config.filter_parameters += [:password]
|
|
47
|
-
|
|
48
|
-
# Enable escaping HTML in JSON.
|
|
49
|
-
config.active_support.escape_html_entities_in_json = true
|
|
50
|
-
|
|
51
|
-
# Use SQL instead of Active Record's schema dumper when creating the database.
|
|
52
|
-
# This is necessary if your schema can't be completely dumped by the schema dumper,
|
|
53
|
-
# like if you have constraints or database-specific column types
|
|
54
|
-
# config.active_record.schema_format = :sql
|
|
55
|
-
|
|
56
|
-
# Enforce whitelist mode for mass assignment.
|
|
57
|
-
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
|
58
|
-
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
|
59
|
-
# parameters by using an attr_accessible or attr_protected declaration.
|
|
60
|
-
config.active_record.whitelist_attributes = true
|
|
61
|
-
|
|
62
|
-
# Enable the asset pipeline
|
|
63
|
-
config.assets.enabled = true
|
|
64
|
-
|
|
65
|
-
# Version of your assets, change this if you want to expire all your assets
|
|
66
|
-
config.assets.version = '1.0'
|
|
67
13
|
end
|
|
68
14
|
end
|
|
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
|
|
|
27
27
|
# Tell Action Mailer not to deliver emails to the real world.
|
|
28
28
|
# The :test delivery method accumulates sent emails in the
|
|
29
29
|
# ActionMailer::Base.deliveries array.
|
|
30
|
-
config.action_mailer.delivery_method = :test
|
|
30
|
+
# config.action_mailer.delivery_method = :test
|
|
31
31
|
|
|
32
32
|
# Raise exception on mass assignment protection for Active Record models
|
|
33
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
|
33
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
|
34
34
|
|
|
35
35
|
# Print deprecation notices to the stderr
|
|
36
36
|
config.active_support.deprecation = :stderr
|
|
@@ -1,61 +1,4 @@
|
|
|
1
1
|
Rails3212::Application.routes.draw do
|
|
2
2
|
resources :things
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
# The priority is based upon order of creation:
|
|
6
|
-
# first created -> highest priority.
|
|
7
|
-
|
|
8
|
-
# Sample of regular route:
|
|
9
|
-
# match 'products/:id' => 'catalog#view'
|
|
10
|
-
# Keep in mind you can assign values other than :controller and :action
|
|
11
|
-
|
|
12
|
-
# Sample of named route:
|
|
13
|
-
# match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
|
|
14
|
-
# This route can be invoked with purchase_url(:id => product.id)
|
|
15
|
-
|
|
16
|
-
# Sample resource route (maps HTTP verbs to controller actions automatically):
|
|
17
|
-
# resources :products
|
|
18
|
-
|
|
19
|
-
# Sample resource route with options:
|
|
20
|
-
# resources :products do
|
|
21
|
-
# member do
|
|
22
|
-
# get 'short'
|
|
23
|
-
# post 'toggle'
|
|
24
|
-
# end
|
|
25
|
-
#
|
|
26
|
-
# collection do
|
|
27
|
-
# get 'sold'
|
|
28
|
-
# end
|
|
29
|
-
# end
|
|
30
|
-
|
|
31
|
-
# Sample resource route with sub-resources:
|
|
32
|
-
# resources :products do
|
|
33
|
-
# resources :comments, :sales
|
|
34
|
-
# resource :seller
|
|
35
|
-
# end
|
|
36
|
-
|
|
37
|
-
# Sample resource route with more complex sub-resources
|
|
38
|
-
# resources :products do
|
|
39
|
-
# resources :comments
|
|
40
|
-
# resources :sales do
|
|
41
|
-
# get 'recent', :on => :collection
|
|
42
|
-
# end
|
|
43
|
-
# end
|
|
44
|
-
|
|
45
|
-
# Sample resource route within a namespace:
|
|
46
|
-
# namespace :admin do
|
|
47
|
-
# # Directs /admin/products/* to Admin::ProductsController
|
|
48
|
-
# # (app/controllers/admin/products_controller.rb)
|
|
49
|
-
# resources :products
|
|
50
|
-
# end
|
|
51
|
-
|
|
52
|
-
# You can have the root of your site routed with "root"
|
|
53
|
-
# just remember to delete public/index.html.
|
|
54
|
-
# root :to => 'welcome#index'
|
|
55
|
-
|
|
56
|
-
# See how all your routes lay out with "rake routes"
|
|
57
|
-
|
|
58
|
-
# This is a legacy wild controller route that's not recommended for RESTful applications.
|
|
59
|
-
# Note: This route will make all actions in every controller accessible via GET requests.
|
|
60
3
|
match ':controller(/:action(/:id))(.:format)'
|
|
61
4
|
end
|
|
@@ -25,6 +25,11 @@ describe OtherThingsController, :type => :controller do
|
|
|
25
25
|
expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
|
|
26
26
|
end
|
|
27
27
|
|
|
28
|
+
it "sets the X-Download-Options header" do
|
|
29
|
+
get :index
|
|
30
|
+
expect(response.headers['X-Download-Options']).to eq('noopen')
|
|
31
|
+
end
|
|
32
|
+
|
|
28
33
|
it "sets the X-Content-Type-Options header" do
|
|
29
34
|
get :index
|
|
30
35
|
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
|
@@ -28,6 +28,11 @@ describe ThingsController, :type => :controller do
|
|
|
28
28
|
expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
+
it "sets the X-Download-Options header" do
|
|
32
|
+
get :index
|
|
33
|
+
expect(response.headers['X-Download-Options']).to eq('noopen')
|
|
34
|
+
end
|
|
35
|
+
|
|
31
36
|
it "sets the X-Content-Type-Options header" do
|
|
32
37
|
get :index
|
|
33
38
|
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
|
@@ -1,12 +1,5 @@
|
|
|
1
1
|
source 'https://rubygems.org'
|
|
2
2
|
|
|
3
3
|
gem 'rails', '3.2.12'
|
|
4
|
-
gem 'sqlite3'
|
|
5
4
|
gem 'rspec-rails', '>= 2.0.0'
|
|
6
5
|
gem 'secure_headers', :path => '../..'
|
|
7
|
-
gem 'debugger', :platform => :ruby_19
|
|
8
|
-
gem 'ruby-debug', :platform => :ruby_18
|
|
9
|
-
gem 'guard-rspec'
|
|
10
|
-
gem 'rb-fsevent'
|
|
11
|
-
gem 'growl'
|
|
12
|
-
|
|
@@ -1,21 +0,0 @@
|
|
|
1
|
-
<h1>Listing things</h1>
|
|
2
|
-
|
|
3
|
-
<table>
|
|
4
|
-
<tr>
|
|
5
|
-
<th></th>
|
|
6
|
-
<th></th>
|
|
7
|
-
<th></th>
|
|
8
|
-
</tr>
|
|
9
|
-
|
|
10
|
-
<% @things.each do |thing| %>
|
|
11
|
-
<tr>
|
|
12
|
-
<td><%= link_to 'Show', thing %></td>
|
|
13
|
-
<td><%= link_to 'Edit', edit_thing_path(thing) %></td>
|
|
14
|
-
<td><%= link_to 'Destroy', thing, method: :delete, data: { confirm: 'Are you sure?' } %></td>
|
|
15
|
-
</tr>
|
|
16
|
-
<% end %>
|
|
17
|
-
</table>
|
|
18
|
-
|
|
19
|
-
<br />
|
|
20
|
-
|
|
21
|
-
<%= link_to 'New Thing', new_thing_path %>
|
|
@@ -1,12 +1,8 @@
|
|
|
1
1
|
require File.expand_path('../boot', __FILE__)
|
|
2
2
|
|
|
3
3
|
# Pick the frameworks you want:
|
|
4
|
-
require "active_record/railtie"
|
|
5
4
|
require "action_controller/railtie"
|
|
6
|
-
require "action_mailer/railtie"
|
|
7
|
-
require "active_resource/railtie"
|
|
8
5
|
require "sprockets/railtie"
|
|
9
|
-
# require "rails/test_unit/railtie"
|
|
10
6
|
|
|
11
7
|
if defined?(Bundler)
|
|
12
8
|
# If you precompile assets before deploying to production, use this line
|
|
@@ -17,52 +13,5 @@ end
|
|
|
17
13
|
|
|
18
14
|
module Rails3212
|
|
19
15
|
class Application < Rails::Application
|
|
20
|
-
# Settings in config/environments/* take precedence over those specified here.
|
|
21
|
-
# Application configuration should go into files in config/initializers
|
|
22
|
-
# -- all .rb files in that directory are automatically loaded.
|
|
23
|
-
|
|
24
|
-
# Custom directories with classes and modules you want to be autoloadable.
|
|
25
|
-
# config.autoload_paths += %W(#{config.root}/extras)
|
|
26
|
-
|
|
27
|
-
# Only load the plugins named here, in the order given (default is alphabetical).
|
|
28
|
-
# :all can be used as a placeholder for all plugins not explicitly named.
|
|
29
|
-
# config.plugins = [ :exception_notification, :ssl_requirement, :all ]
|
|
30
|
-
|
|
31
|
-
# Activate observers that should always be running.
|
|
32
|
-
# config.active_record.observers = :cacher, :garbage_collector, :forum_observer
|
|
33
|
-
|
|
34
|
-
# Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
|
|
35
|
-
# Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
|
|
36
|
-
# config.time_zone = 'Central Time (US & Canada)'
|
|
37
|
-
|
|
38
|
-
# The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
|
|
39
|
-
# config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
|
|
40
|
-
# config.i18n.default_locale = :de
|
|
41
|
-
|
|
42
|
-
# Configure the default encoding used in templates for Ruby 1.9.
|
|
43
|
-
config.encoding = "utf-8"
|
|
44
|
-
|
|
45
|
-
# Configure sensitive parameters which will be filtered from the log file.
|
|
46
|
-
config.filter_parameters += [:password]
|
|
47
|
-
|
|
48
|
-
# Enable escaping HTML in JSON.
|
|
49
|
-
config.active_support.escape_html_entities_in_json = true
|
|
50
|
-
|
|
51
|
-
# Use SQL instead of Active Record's schema dumper when creating the database.
|
|
52
|
-
# This is necessary if your schema can't be completely dumped by the schema dumper,
|
|
53
|
-
# like if you have constraints or database-specific column types
|
|
54
|
-
# config.active_record.schema_format = :sql
|
|
55
|
-
|
|
56
|
-
# Enforce whitelist mode for mass assignment.
|
|
57
|
-
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
|
58
|
-
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
|
59
|
-
# parameters by using an attr_accessible or attr_protected declaration.
|
|
60
|
-
config.active_record.whitelist_attributes = true
|
|
61
|
-
|
|
62
|
-
# Enable the asset pipeline
|
|
63
|
-
config.assets.enabled = true
|
|
64
|
-
|
|
65
|
-
# Version of your assets, change this if you want to expire all your assets
|
|
66
|
-
config.assets.version = '1.0'
|
|
67
16
|
end
|
|
68
17
|
end
|
|
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
|
|
|
27
27
|
# Tell Action Mailer not to deliver emails to the real world.
|
|
28
28
|
# The :test delivery method accumulates sent emails in the
|
|
29
29
|
# ActionMailer::Base.deliveries array.
|
|
30
|
-
config.action_mailer.delivery_method = :test
|
|
30
|
+
# config.action_mailer.delivery_method = :test
|
|
31
31
|
|
|
32
32
|
# Raise exception on mass assignment protection for Active Record models
|
|
33
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
|
33
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
|
34
34
|
|
|
35
35
|
# Print deprecation notices to the stderr
|
|
36
36
|
config.active_support.deprecation = :stderr
|
|
@@ -1,61 +1,4 @@
|
|
|
1
1
|
Rails3212::Application.routes.draw do
|
|
2
2
|
resources :things
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
# The priority is based upon order of creation:
|
|
6
|
-
# first created -> highest priority.
|
|
7
|
-
|
|
8
|
-
# Sample of regular route:
|
|
9
|
-
# match 'products/:id' => 'catalog#view'
|
|
10
|
-
# Keep in mind you can assign values other than :controller and :action
|
|
11
|
-
|
|
12
|
-
# Sample of named route:
|
|
13
|
-
# match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
|
|
14
|
-
# This route can be invoked with purchase_url(:id => product.id)
|
|
15
|
-
|
|
16
|
-
# Sample resource route (maps HTTP verbs to controller actions automatically):
|
|
17
|
-
# resources :products
|
|
18
|
-
|
|
19
|
-
# Sample resource route with options:
|
|
20
|
-
# resources :products do
|
|
21
|
-
# member do
|
|
22
|
-
# get 'short'
|
|
23
|
-
# post 'toggle'
|
|
24
|
-
# end
|
|
25
|
-
#
|
|
26
|
-
# collection do
|
|
27
|
-
# get 'sold'
|
|
28
|
-
# end
|
|
29
|
-
# end
|
|
30
|
-
|
|
31
|
-
# Sample resource route with sub-resources:
|
|
32
|
-
# resources :products do
|
|
33
|
-
# resources :comments, :sales
|
|
34
|
-
# resource :seller
|
|
35
|
-
# end
|
|
36
|
-
|
|
37
|
-
# Sample resource route with more complex sub-resources
|
|
38
|
-
# resources :products do
|
|
39
|
-
# resources :comments
|
|
40
|
-
# resources :sales do
|
|
41
|
-
# get 'recent', :on => :collection
|
|
42
|
-
# end
|
|
43
|
-
# end
|
|
44
|
-
|
|
45
|
-
# Sample resource route within a namespace:
|
|
46
|
-
# namespace :admin do
|
|
47
|
-
# # Directs /admin/products/* to Admin::ProductsController
|
|
48
|
-
# # (app/controllers/admin/products_controller.rb)
|
|
49
|
-
# resources :products
|
|
50
|
-
# end
|
|
51
|
-
|
|
52
|
-
# You can have the root of your site routed with "root"
|
|
53
|
-
# just remember to delete public/index.html.
|
|
54
|
-
# root :to => 'welcome#index'
|
|
55
|
-
|
|
56
|
-
# See how all your routes lay out with "rake routes"
|
|
57
|
-
|
|
58
|
-
# This is a legacy wild controller route that's not recommended for RESTful applications.
|
|
59
|
-
# Note: This route will make all actions in every controller accessible via GET requests.
|
|
60
3
|
match ':controller(/:action(/:id))(.:format)'
|
|
61
4
|
end
|
|
@@ -24,6 +24,11 @@ describe OtherThingsController, :type => :controller do
|
|
|
24
24
|
expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
|
25
25
|
end
|
|
26
26
|
|
|
27
|
+
it "sets the X-Download-Options header" do
|
|
28
|
+
get :index
|
|
29
|
+
expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
|
30
|
+
end
|
|
31
|
+
|
|
27
32
|
it "sets the X-Content-Type-Options header" do
|
|
28
33
|
get :index
|
|
29
34
|
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
|
@@ -28,6 +28,11 @@ describe ThingsController, :type => :controller do
|
|
|
28
28
|
expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
+
it "sets the X-Download-Options header" do
|
|
32
|
+
get :index
|
|
33
|
+
expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
|
34
|
+
end
|
|
35
|
+
|
|
31
36
|
it "sets the X-Content-Type-Options header" do
|
|
32
37
|
get :index
|
|
33
38
|
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
|
@@ -30,6 +30,7 @@ module SecureHeaders
|
|
|
30
30
|
# :report used to determine what :ssl_request, :ua, and :request_uri are set to
|
|
31
31
|
def initialize(config=nil, options={})
|
|
32
32
|
@experimental = !!options.delete(:experimental)
|
|
33
|
+
warn "[DEPRECATION] 'experimental' config is removed in 2.0"
|
|
33
34
|
@controller = options.delete(:controller)
|
|
34
35
|
|
|
35
36
|
if options[:request]
|
|
@@ -60,9 +61,9 @@ module SecureHeaders
|
|
|
60
61
|
@config.merge!(experimental_config)
|
|
61
62
|
end
|
|
62
63
|
|
|
63
|
-
#
|
|
64
|
-
# lambdas because it's an ugly api that's showing it's age.
|
|
64
|
+
# these values don't support lambdas because this needs to be rewritten
|
|
65
65
|
@http_additions = @config.delete(:http_additions)
|
|
66
|
+
@app_name = @config.delete(:app_name)
|
|
66
67
|
|
|
67
68
|
normalize_csp_options
|
|
68
69
|
|
|
@@ -70,7 +71,9 @@ module SecureHeaders
|
|
|
70
71
|
self.send("#{meta}=", @config.delete(meta))
|
|
71
72
|
end
|
|
72
73
|
|
|
73
|
-
@enforce =
|
|
74
|
+
@enforce = !!@config.delete(:enforce)
|
|
75
|
+
@tag_report_uri = @config.delete(:tag_report_uri)
|
|
76
|
+
|
|
74
77
|
normalize_reporting_endpoint
|
|
75
78
|
fill_directives unless disable_fill_missing?
|
|
76
79
|
end
|
|
@@ -169,16 +172,27 @@ module SecureHeaders
|
|
|
169
172
|
end
|
|
170
173
|
|
|
171
174
|
if forward_endpoint
|
|
175
|
+
warn "[DEPRECATION] forwarder is removed in 2.0"
|
|
172
176
|
@report_uri = FF_CSP_ENDPOINT
|
|
173
177
|
end
|
|
174
178
|
end
|
|
179
|
+
|
|
180
|
+
if @tag_report_uri
|
|
181
|
+
@report_uri = "#{@report_uri}?enforce=#{@enforce}"
|
|
182
|
+
@report_uri += "&app_name=#{@app_name}" if @app_name
|
|
183
|
+
end
|
|
175
184
|
end
|
|
176
185
|
|
|
177
186
|
def same_origin?
|
|
178
187
|
return unless report_uri && request_uri
|
|
179
188
|
|
|
180
|
-
|
|
181
|
-
|
|
189
|
+
begin
|
|
190
|
+
origin = URI.parse(request_uri)
|
|
191
|
+
uri = URI.parse(report_uri)
|
|
192
|
+
rescue URI::InvalidURIError
|
|
193
|
+
return false
|
|
194
|
+
end
|
|
195
|
+
|
|
182
196
|
uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
|
|
183
197
|
end
|
|
184
198
|
|
|
@@ -6,7 +6,7 @@ module SecureHeaders
|
|
|
6
6
|
HSTS_HEADER_NAME = 'Strict-Transport-Security'
|
|
7
7
|
HSTS_MAX_AGE = "631138519"
|
|
8
8
|
DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
|
|
9
|
-
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?\z/i
|
|
9
|
+
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
|
|
10
10
|
MESSAGE = "The config value supplied for the HSTS header was invalid."
|
|
11
11
|
end
|
|
12
12
|
include Constants
|
|
@@ -31,6 +31,7 @@ module SecureHeaders
|
|
|
31
31
|
max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
|
|
32
32
|
value = "max-age=" + max_age.to_s
|
|
33
33
|
value += "; includeSubdomains" if @config[:include_subdomains]
|
|
34
|
+
value += "; preload" if @config[:preload]
|
|
34
35
|
|
|
35
36
|
value
|
|
36
37
|
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
module SecureHeaders
|
|
2
|
+
class XDOBuildError < StandardError; end
|
|
3
|
+
class XDownloadOptions < Header
|
|
4
|
+
module Constants
|
|
5
|
+
XDO_HEADER_NAME = "X-Download-Options"
|
|
6
|
+
DEFAULT_VALUE = 'noopen'
|
|
7
|
+
end
|
|
8
|
+
include Constants
|
|
9
|
+
|
|
10
|
+
def initialize(config = nil)
|
|
11
|
+
@config = config
|
|
12
|
+
validate_config unless @config.nil?
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def name
|
|
16
|
+
XDO_HEADER_NAME
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def value
|
|
20
|
+
case @config
|
|
21
|
+
when NilClass
|
|
22
|
+
DEFAULT_VALUE
|
|
23
|
+
when String
|
|
24
|
+
@config
|
|
25
|
+
else
|
|
26
|
+
@config[:value]
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
private
|
|
31
|
+
|
|
32
|
+
def validate_config
|
|
33
|
+
value = @config.is_a?(Hash) ? @config[:value] : @config
|
|
34
|
+
unless value.casecmp(DEFAULT_VALUE) == 0
|
|
35
|
+
raise XDOBuildError.new("Value can only be nil or 'noopen'")
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|