secure_headers 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. data/.travis.yml +0 -3
  2. data/Gemfile +2 -3
  3. data/HISTORY.md +35 -0
  4. data/README.md +19 -1
  5. data/app/controllers/content_security_policy_controller.rb +1 -0
  6. data/fixtures/rails_3_2_12/Gemfile +0 -6
  7. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  8. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +0 -3
  9. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
  10. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  11. data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
  12. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  13. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +5 -0
  14. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +5 -0
  15. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -7
  16. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  17. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  18. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  19. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
  20. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
  21. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  22. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +5 -0
  23. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +5 -0
  24. data/lib/secure_headers/headers/content_security_policy.rb +19 -5
  25. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  26. data/lib/secure_headers/headers/x_download_options.rb +39 -0
  27. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  28. data/lib/secure_headers/railtie.rb +6 -2
  29. data/lib/secure_headers/version.rb +1 -1
  30. data/lib/secure_headers.rb +9 -2
  31. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -0
  32. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +1 -0
  33. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
  34. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -1
  35. data/spec/lib/secure_headers_spec.rb +28 -2
  36. data/spec/spec_helper.rb +1 -0
  37. metadata +12 -36
  38. checksums.yaml +0 -15
  39. data/Guardfile +0 -6
  40. data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
  41. data/fixtures/rails_3_2_12/config/database.yml +0 -25
  42. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  43. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  44. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  45. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  46. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  47. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  48. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  49. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  50. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  51. data/fixtures/rails_3_2_12/db/schema.rb +0 -16
  52. data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
  53. data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
  54. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  55. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  56. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  57. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  58. data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
  59. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  60. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  61. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  62. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  63. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  64. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  65. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  66. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  67. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  68. data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
  69. data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
@@ -4,7 +4,7 @@ module SecureHeaders
4
4
  module Constants
5
5
  X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
6
6
  DEFAULT_VALUE = "1"
7
- VALID_X_XSS_HEADER = /\A[01](; mode=block)?\z/i
7
+ VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
8
8
  end
9
9
  include Constants
10
10
 
@@ -26,6 +26,7 @@ module SecureHeaders
26
26
  else
27
27
  value = @config[:value].to_s
28
28
  value += "; mode=#{@config[:mode]}" if @config[:mode]
29
+ value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
29
30
  value
30
31
  end
31
32
  end
@@ -3,7 +3,11 @@ if defined?(Rails::Railtie)
3
3
  module SecureHeaders
4
4
  class Railtie < Rails::Engine
5
5
  isolate_namespace ::SecureHeaders if defined? isolate_namespace # rails 3.0
6
- ActionController::Base.send :include, ::SecureHeaders
6
+ initializer "secure_headers.action_controller" do
7
+ ActiveSupport.on_load(:action_controller) do
8
+ include ::SecureHeaders
9
+ end
10
+ end
7
11
  end
8
12
  end
9
13
  else
@@ -34,4 +38,4 @@ else
34
38
  if defined? ActionController::Routing
35
39
  ActionController::Routing::RouteSet::Mapper.send :include, ::SecureHeaders::Routing::MapperExtensions
36
40
  end
37
- end
41
+ end
@@ -1,3 +1,3 @@
1
1
  module SecureHeaders
2
- VERSION = "1.3.0"
2
+ VERSION = "1.4.0"
3
3
  end
@@ -2,7 +2,7 @@ module SecureHeaders
2
2
  module Configuration
3
3
  class << self
4
4
  attr_accessor :hsts, :x_frame_options, :x_content_type_options,
5
- :x_xss_protection, :csp
5
+ :x_xss_protection, :csp, :x_download_options
6
6
 
7
7
  def configure &block
8
8
  instance_eval &block
@@ -38,6 +38,7 @@ module SecureHeaders
38
38
  before_filter :set_csp_header
39
39
  before_filter :set_x_xss_protection_header
40
40
  before_filter :set_x_content_type_options_header
41
+ before_filter :set_x_download_options_header
41
42
  end
42
43
 
43
44
  # we can't use ||= because I'm overloading false => disable, nil => default
@@ -55,6 +56,7 @@ module SecureHeaders
55
56
  set_x_frame_options_header(options[:x_frame_options])
56
57
  set_x_xss_protection_header(options[:x_xss_protection])
57
58
  set_x_content_type_options_header(options[:x_content_type_options])
59
+ set_x_download_options_header(options[:x_download_options])
58
60
  end
59
61
 
60
62
  # backwards compatibility jank, to be removed in 1.0. Old API required a request
@@ -99,6 +101,10 @@ module SecureHeaders
99
101
  set_a_header(:hsts, StrictTransportSecurity, options)
100
102
  end
101
103
 
104
+ def set_x_download_options_header(options=self.class.secure_headers_options[:x_download_options])
105
+ set_a_header(:x_download_options, XDownloadOptions, options)
106
+ end
107
+
102
108
  private
103
109
 
104
110
  def set_a_header(name, klass, options=nil)
@@ -120,7 +126,7 @@ module SecureHeaders
120
126
  end
121
127
  end
122
128
 
123
-
129
+ require "securerandom"
124
130
  require "secure_headers/version"
125
131
  require "secure_headers/header"
126
132
  require "secure_headers/headers/content_security_policy"
@@ -128,4 +134,5 @@ require "secure_headers/headers/x_frame_options"
128
134
  require "secure_headers/headers/strict_transport_security"
129
135
  require "secure_headers/headers/x_xss_protection"
130
136
  require "secure_headers/headers/x_content_type_options"
137
+ require "secure_headers/headers/x_download_options"
131
138
  require "secure_headers/railtie"
@@ -79,6 +79,18 @@ module SecureHeaders
79
79
  expect(csp.value).to include("script-src 'unsafe-inline' 'unsafe-eval' https://* data: 'self' 'none'")
80
80
  end
81
81
 
82
+ it "adds a @enforce and @app_name variables to the report uri" do
83
+ opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => 'twitter')
84
+ csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
85
+ expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
86
+ end
87
+
88
+ it "does not add an empty @app_name variable to the report uri" do
89
+ opts = @opts.merge(:tag_report_uri => true, :enforce => true)
90
+ csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
91
+ expect(csp.value).to include("/csp_report?enforce=true")
92
+ end
93
+
82
94
  it "accepts procs for report-uris" do
83
95
  opts = {
84
96
  :default_src => 'self',
@@ -10,6 +10,7 @@ module SecureHeaders
10
10
  specify { expect(StrictTransportSecurity.new(:max_age => '1234').value).to eq("max-age=1234")}
11
11
  specify { expect(StrictTransportSecurity.new(:max_age => 1234).value).to eq("max-age=1234")}
12
12
  specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains")}
13
+ specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")}
13
14
 
14
15
  context "with an invalid configuration" do
15
16
  context "with a hash argument" do
@@ -0,0 +1,32 @@
1
+ module SecureHeaders
2
+ describe XDownloadOptions do
3
+ specify { expect(XDownloadOptions.new.name).to eq(XDO_HEADER_NAME)}
4
+ specify { expect(XDownloadOptions.new.value).to eq("noopen")}
5
+ specify { expect(XDownloadOptions.new('noopen').value).to eq('noopen')}
6
+ specify { expect(XDownloadOptions.new(:value => 'noopen').value).to eq('noopen') }
7
+
8
+ context "invalid configuration values" do
9
+ it "accepts noopen" do
10
+ expect {
11
+ XDownloadOptions.new("noopen")
12
+ }.not_to raise_error
13
+
14
+ expect {
15
+ XDownloadOptions.new(:value => "noopen")
16
+ }.not_to raise_error
17
+ end
18
+
19
+ it "accepts nil" do
20
+ expect {
21
+ XDownloadOptions.new
22
+ }.not_to raise_error
23
+ end
24
+
25
+ it "doesn't accept anything besides noopen" do
26
+ expect {
27
+ XContentTypeOptions.new("open")
28
+ }.to raise_error
29
+ end
30
+ end
31
+ end
32
+ end
@@ -4,6 +4,7 @@ module SecureHeaders
4
4
  specify { expect(XXssProtection.new.value).to eq("1")}
5
5
  specify { expect(XXssProtection.new("0").value).to eq("0")}
6
6
  specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') }
7
+ specify { expect(XXssProtection.new(:value => 1, :mode => 'block', :report_uri => 'https://www.secure.com/reports').value).to eq('1; mode=block; report=https://www.secure.com/reports') }
7
8
 
8
9
  context "with invalid configuration" do
9
10
  it "should raise an error when providing a string that is not valid" do
@@ -50,4 +51,4 @@ module SecureHeaders
50
51
 
51
52
  end
52
53
  end
53
- end
54
+ end
@@ -54,6 +54,7 @@ describe SecureHeaders do
54
54
  config.x_content_type_options = nil
55
55
  config.x_xss_protection = nil
56
56
  config.csp = nil
57
+ config.x_download_options = nil
57
58
  end
58
59
  end
59
60
 
@@ -63,12 +64,13 @@ describe SecureHeaders do
63
64
  subject.set_x_frame_options_header
64
65
  subject.set_x_content_type_options_header
65
66
  subject.set_x_xss_protection_header
67
+ subject.set_x_download_options_header
66
68
  end
67
69
 
68
70
  describe "#ensure_security_headers" do
69
71
  it "sets a before filter" do
70
72
  options = {}
71
- expect(DummyClass).to receive(:before_filter).exactly(5).times
73
+ expect(DummyClass).to receive(:before_filter).exactly(6).times
72
74
  DummyClass.ensure_security_headers(options)
73
75
  end
74
76
  end
@@ -92,13 +94,14 @@ describe SecureHeaders do
92
94
  USER_AGENTS.each do |name, useragent|
93
95
  it "sets all default headers for #{name} (smoke test)" do
94
96
  stub_user_agent(useragent)
95
- number_of_headers = 5
97
+ number_of_headers = 6
96
98
  expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
97
99
  subject.set_csp_header
98
100
  subject.set_x_frame_options_header
99
101
  subject.set_hsts_header
100
102
  subject.set_x_xss_protection_header
101
103
  subject.set_x_content_type_options_header
104
+ subject.set_x_download_options_header
102
105
  end
103
106
  end
104
107
 
@@ -113,6 +116,11 @@ describe SecureHeaders do
113
116
  subject.set_x_xss_protection_header(false)
114
117
  end
115
118
 
119
+ it "does not set the X-Download-Options header if disabled" do
120
+ should_not_assign_header(XDO_HEADER_NAME)
121
+ subject.set_x_download_options_header(false)
122
+ end
123
+
116
124
  it "does not set the X-Frame-Options header if disabled" do
117
125
  should_not_assign_header(XFO_HEADER_NAME)
118
126
  subject.set_x_frame_options_header(false)
@@ -143,6 +151,7 @@ describe SecureHeaders do
143
151
  config.x_content_type_options = false
144
152
  config.x_xss_protection = false
145
153
  config.csp = false
154
+ config.x_download_options = false
146
155
  end
147
156
  expect(subject).not_to receive(:set_header)
148
157
  set_security_headers(subject)
@@ -163,6 +172,18 @@ describe SecureHeaders do
163
172
  end
164
173
  end
165
174
 
175
+ describe "#set_x_download_options_header" do
176
+ it "sets the X-Download-Options header" do
177
+ should_assign_header(XDO_HEADER_NAME, SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
178
+ subject.set_x_download_options_header
179
+ end
180
+
181
+ it "allows a custom X-Download-Options header" do
182
+ should_assign_header(XDO_HEADER_NAME, "noopen")
183
+ subject.set_x_download_options_header(:value => 'noopen')
184
+ end
185
+ end
186
+
166
187
  describe "#set_strict_transport_security" do
167
188
  it "sets the Strict-Transport-Security header" do
168
189
  should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
@@ -178,6 +199,11 @@ describe SecureHeaders do
178
199
  should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
179
200
  subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
180
201
  end
202
+
203
+ it "allows you to specify preload" do
204
+ should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")
205
+ subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true)
206
+ end
181
207
  end
182
208
 
183
209
  describe "#set_x_xss_protection" do
data/spec/spec_helper.rb CHANGED
@@ -8,3 +8,4 @@ include ::SecureHeaders::ContentSecurityPolicy::Constants
8
8
  include ::SecureHeaders::XFrameOptions::Constants
9
9
  include ::SecureHeaders::XXssProtection::Constants
10
10
  include ::SecureHeaders::XContentTypeOptions::Constants
11
+ include ::SecureHeaders::XDownloadOptions::Constants
metadata CHANGED
@@ -1,18 +1,20 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.0
4
+ version: 1.4.0
5
+ prerelease:
5
6
  platform: ruby
6
7
  authors:
7
8
  - Neil Matatall
8
9
  autorequire:
9
10
  bindir: bin
10
11
  cert_chain: []
11
- date: 2014-08-09 00:00:00.000000000 Z
12
+ date: 2014-12-06 00:00:00.000000000 Z
12
13
  dependencies:
13
14
  - !ruby/object:Gem::Dependency
14
15
  name: rake
15
16
  requirement: !ruby/object:Gem::Requirement
17
+ none: false
16
18
  requirements:
17
19
  - - ! '>='
18
20
  - !ruby/object:Gem::Version
@@ -20,6 +22,7 @@ dependencies:
20
22
  type: :development
21
23
  prerelease: false
22
24
  version_requirements: !ruby/object:Gem::Requirement
25
+ none: false
23
26
  requirements:
24
27
  - - ! '>='
25
28
  - !ruby/object:Gem::Version
@@ -36,7 +39,6 @@ files:
36
39
  - .ruby-version
37
40
  - .travis.yml
38
41
  - Gemfile
39
- - Guardfile
40
42
  - HISTORY.md
41
43
  - LICENSE
42
44
  - README.md
@@ -52,29 +54,16 @@ files:
52
54
  - fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
53
55
  - fixtures/rails_3_2_12/app/controllers/things_controller.rb
54
56
  - fixtures/rails_3_2_12/app/models/.gitkeep
55
- - fixtures/rails_3_2_12/app/models/thing.rb
56
57
  - fixtures/rails_3_2_12/app/views/layouts/application.html.erb
57
58
  - fixtures/rails_3_2_12/app/views/other_things/index.html.erb
58
59
  - fixtures/rails_3_2_12/app/views/things/index.html.erb
59
60
  - fixtures/rails_3_2_12/config.ru
60
61
  - fixtures/rails_3_2_12/config/application.rb
61
62
  - fixtures/rails_3_2_12/config/boot.rb
62
- - fixtures/rails_3_2_12/config/database.yml
63
63
  - fixtures/rails_3_2_12/config/environment.rb
64
- - fixtures/rails_3_2_12/config/environments/development.rb
65
- - fixtures/rails_3_2_12/config/environments/production.rb
66
64
  - fixtures/rails_3_2_12/config/environments/test.rb
67
- - fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
68
- - fixtures/rails_3_2_12/config/initializers/inflections.rb
69
- - fixtures/rails_3_2_12/config/initializers/mime_types.rb
70
- - fixtures/rails_3_2_12/config/initializers/secret_token.rb
71
65
  - fixtures/rails_3_2_12/config/initializers/secure_headers.rb
72
- - fixtures/rails_3_2_12/config/initializers/session_store.rb
73
- - fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
74
- - fixtures/rails_3_2_12/config/locales/en.yml
75
66
  - fixtures/rails_3_2_12/config/routes.rb
76
- - fixtures/rails_3_2_12/db/schema.rb
77
- - fixtures/rails_3_2_12/db/seeds.rb
78
67
  - fixtures/rails_3_2_12/lib/assets/.gitkeep
79
68
  - fixtures/rails_3_2_12/lib/tasks/.gitkeep
80
69
  - fixtures/rails_3_2_12/log/.gitkeep
@@ -92,32 +81,15 @@ files:
92
81
  - fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
93
82
  - fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
94
83
  - fixtures/rails_3_2_12_no_init/app/models/.gitkeep
95
- - fixtures/rails_3_2_12_no_init/app/models/thing.rb
96
84
  - fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
97
85
  - fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
98
- - fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
99
- - fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
100
86
  - fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
101
- - fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
102
- - fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
103
87
  - fixtures/rails_3_2_12_no_init/config.ru
104
88
  - fixtures/rails_3_2_12_no_init/config/application.rb
105
89
  - fixtures/rails_3_2_12_no_init/config/boot.rb
106
- - fixtures/rails_3_2_12_no_init/config/database.yml
107
90
  - fixtures/rails_3_2_12_no_init/config/environment.rb
108
- - fixtures/rails_3_2_12_no_init/config/environments/development.rb
109
- - fixtures/rails_3_2_12_no_init/config/environments/production.rb
110
91
  - fixtures/rails_3_2_12_no_init/config/environments/test.rb
111
- - fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
112
- - fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
113
- - fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
114
- - fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
115
- - fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
116
- - fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
117
- - fixtures/rails_3_2_12_no_init/config/locales/en.yml
118
92
  - fixtures/rails_3_2_12_no_init/config/routes.rb
119
- - fixtures/rails_3_2_12_no_init/db/schema.rb
120
- - fixtures/rails_3_2_12_no_init/db/seeds.rb
121
93
  - fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
122
94
  - fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
123
95
  - fixtures/rails_3_2_12_no_init/log/.gitkeep
@@ -132,6 +104,7 @@ files:
132
104
  - lib/secure_headers/headers/content_security_policy.rb
133
105
  - lib/secure_headers/headers/strict_transport_security.rb
134
106
  - lib/secure_headers/headers/x_content_type_options.rb
107
+ - lib/secure_headers/headers/x_download_options.rb
135
108
  - lib/secure_headers/headers/x_frame_options.rb
136
109
  - lib/secure_headers/headers/x_xss_protection.rb
137
110
  - lib/secure_headers/padrino.rb
@@ -142,6 +115,7 @@ files:
142
115
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
143
116
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
144
117
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
118
+ - spec/lib/secure_headers/headers/x_download_options_spec.rb
145
119
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
146
120
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
147
121
  - spec/lib/secure_headers_spec.rb
@@ -150,26 +124,27 @@ files:
150
124
  homepage: https://github.com/twitter/secureheaders
151
125
  licenses:
152
126
  - Apache Public License 2.0
153
- metadata: {}
154
127
  post_install_message:
155
128
  rdoc_options: []
156
129
  require_paths:
157
130
  - lib
158
131
  required_ruby_version: !ruby/object:Gem::Requirement
132
+ none: false
159
133
  requirements:
160
134
  - - ! '>='
161
135
  - !ruby/object:Gem::Version
162
136
  version: '0'
163
137
  required_rubygems_version: !ruby/object:Gem::Requirement
138
+ none: false
164
139
  requirements:
165
140
  - - ! '>='
166
141
  - !ruby/object:Gem::Version
167
142
  version: '0'
168
143
  requirements: []
169
144
  rubyforge_project:
170
- rubygems_version: 2.1.1
145
+ rubygems_version: 1.8.23
171
146
  signing_key:
172
- specification_version: 4
147
+ specification_version: 3
173
148
  summary: Add easily configured browser headers to responses including content security
174
149
  policy, x-frame-options, strict-transport-security and more.
175
150
  test_files:
@@ -177,6 +152,7 @@ test_files:
177
152
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
178
153
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
179
154
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
155
+ - spec/lib/secure_headers/headers/x_download_options_spec.rb
180
156
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
181
157
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
182
158
  - spec/lib/secure_headers_spec.rb
checksums.yaml DELETED
@@ -1,15 +0,0 @@
1
- ---
2
- !binary "U0hBMQ==":
3
- metadata.gz: !binary |-
4
- NTdiMjdmYmVhNzk2MWQ3YmEwNDNjOWQ0YmZhZDZkNTAyNDlmYmQ1ZQ==
5
- data.tar.gz: !binary |-
6
- ZTIyYjBjNmM5ZTU5YzRhZjU4MjdmNTcwNDAzMjMyZjJlOTFjOWYxMA==
7
- SHA512:
8
- metadata.gz: !binary |-
9
- NzRjM2QwM2IwZjIyZDMzYzY3OWE2MGVmZTEyNjU3MmQwMzhiODcxYjRlZDlh
10
- ODFmMmExNzgxNDkzN2U5YWFiNGFjYWMwYjUxNGNiMmJiOWM4ZTA0ZmY3Y2Mz
11
- MjFlMTRlNzdiMGQ0MDY5NTM1YTkyNGMxOGJjMDRmMjkyZTIyMjA=
12
- data.tar.gz: !binary |-
13
- N2I3MzExNWM5MGFjZDI3YjBjMDlkNjgyNWUyODcyZGU3N2NmMjVjZTZkMWVi
14
- Y2FiYmI4YjY3NzRkYzM3NWNkNjE0MGE4ZWMwMjhlMGJhYTI0NmIwYmY4MGFi
15
- YjlhNjdkMTQ1YWQ0NTYwNGJiZmMxMzA3MjlkNmMyMDgyZjhlY2E=
data/Guardfile DELETED
@@ -1,6 +0,0 @@
1
- guard 'rspec' do
2
- watch(%r{^spec/.+_spec\.rb$})
3
- watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
4
- watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
5
- watch('spec/spec_helper.rb') { "spec" }
6
- end
@@ -1,3 +0,0 @@
1
- class Thing < ActiveRecord::Base
2
- # attr_accessible :title, :body
3
- end
@@ -1,25 +0,0 @@
1
- # SQLite version 3.x
2
- # gem install sqlite3
3
- #
4
- # Ensure the SQLite 3 gem is defined in your Gemfile
5
- # gem 'sqlite3'
6
- development:
7
- adapter: sqlite3
8
- database: db/development.sqlite3
9
- pool: 5
10
- timeout: 5000
11
-
12
- # Warning: The database defined as "test" will be erased and
13
- # re-generated from your development database when you run "rake".
14
- # Do not set this db to the same as development or production.
15
- test:
16
- adapter: sqlite3
17
- database: db/test.sqlite3
18
- pool: 5
19
- timeout: 5000
20
-
21
- production:
22
- adapter: sqlite3
23
- database: db/production.sqlite3
24
- pool: 5
25
- timeout: 5000
@@ -1,37 +0,0 @@
1
- Rails3212::Application.configure do
2
- # Settings specified here will take precedence over those in config/application.rb
3
-
4
- # In the development environment your application's code is reloaded on
5
- # every request. This slows down response time but is perfect for development
6
- # since you don't have to restart the web server when you make code changes.
7
- config.cache_classes = false
8
-
9
- # Log error messages when you accidentally call methods on nil.
10
- config.whiny_nils = true
11
-
12
- # Show full error reports and disable caching
13
- config.consider_all_requests_local = true
14
- config.action_controller.perform_caching = false
15
-
16
- # Don't care if the mailer can't send
17
- config.action_mailer.raise_delivery_errors = false
18
-
19
- # Print deprecation notices to the Rails logger
20
- config.active_support.deprecation = :log
21
-
22
- # Only use best-standards-support built into browsers
23
- config.action_dispatch.best_standards_support = :builtin
24
-
25
- # Raise exception on mass assignment protection for Active Record models
26
- config.active_record.mass_assignment_sanitizer = :strict
27
-
28
- # Log the query plan for queries taking more than this (works
29
- # with SQLite, MySQL, and PostgreSQL)
30
- config.active_record.auto_explain_threshold_in_seconds = 0.5
31
-
32
- # Do not compress assets
33
- config.assets.compress = false
34
-
35
- # Expands the lines which load the assets
36
- config.assets.debug = true
37
- end
@@ -1,67 +0,0 @@
1
- Rails3212::Application.configure do
2
- # Settings specified here will take precedence over those in config/application.rb
3
-
4
- # Code is not reloaded between requests
5
- config.cache_classes = true
6
-
7
- # Full error reports are disabled and caching is turned on
8
- config.consider_all_requests_local = false
9
- config.action_controller.perform_caching = true
10
-
11
- # Disable Rails's static asset server (Apache or nginx will already do this)
12
- config.serve_static_assets = false
13
-
14
- # Compress JavaScripts and CSS
15
- config.assets.compress = true
16
-
17
- # Don't fallback to assets pipeline if a precompiled asset is missed
18
- config.assets.compile = false
19
-
20
- # Generate digests for assets URLs
21
- config.assets.digest = true
22
-
23
- # Defaults to nil and saved in location specified by config.assets.prefix
24
- # config.assets.manifest = YOUR_PATH
25
-
26
- # Specifies the header that your server uses for sending files
27
- # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
28
- # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
29
-
30
- # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
31
- # config.force_ssl = true
32
-
33
- # See everything in the log (default is :info)
34
- # config.log_level = :debug
35
-
36
- # Prepend all log lines with the following tags
37
- # config.log_tags = [ :subdomain, :uuid ]
38
-
39
- # Use a different logger for distributed setups
40
- # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
41
-
42
- # Use a different cache store in production
43
- # config.cache_store = :mem_cache_store
44
-
45
- # Enable serving of images, stylesheets, and JavaScripts from an asset server
46
- # config.action_controller.asset_host = "http://assets.example.com"
47
-
48
- # Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
49
- # config.assets.precompile += %w( search.js )
50
-
51
- # Disable delivery errors, bad email addresses will be ignored
52
- # config.action_mailer.raise_delivery_errors = false
53
-
54
- # Enable threaded mode
55
- # config.threadsafe!
56
-
57
- # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
58
- # the I18n.default_locale when a translation can not be found)
59
- config.i18n.fallbacks = true
60
-
61
- # Send deprecation notices to registered listeners
62
- config.active_support.deprecation = :notify
63
-
64
- # Log the query plan for queries taking more than this (works
65
- # with SQLite, MySQL, and PostgreSQL)
66
- # config.active_record.auto_explain_threshold_in_seconds = 0.5
67
- end
@@ -1,7 +0,0 @@
1
- # Be sure to restart your server when you modify this file.
2
-
3
- # You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
4
- # Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
5
-
6
- # You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
7
- # Rails.backtrace_cleaner.remove_silencers!
@@ -1,15 +0,0 @@
1
- # Be sure to restart your server when you modify this file.
2
-
3
- # Add new inflection rules using the following format
4
- # (all these examples are active by default):
5
- # ActiveSupport::Inflector.inflections do |inflect|
6
- # inflect.plural /^(ox)$/i, '\1en'
7
- # inflect.singular /^(ox)en/i, '\1'
8
- # inflect.irregular 'person', 'people'
9
- # inflect.uncountable %w( fish sheep )
10
- # end
11
- #
12
- # These inflection rules are supported but not enabled by default:
13
- # ActiveSupport::Inflector.inflections do |inflect|
14
- # inflect.acronym 'RESTful'
15
- # end
@@ -1,5 +0,0 @@
1
- # Be sure to restart your server when you modify this file.
2
-
3
- # Add new mime types for use in respond_to blocks:
4
- # Mime::Type.register "text/richtext", :rtf
5
- # Mime::Type.register_alias "text/html", :iphone
@@ -1,7 +0,0 @@
1
- # Be sure to restart your server when you modify this file.
2
-
3
- # Your secret key for verifying the integrity of signed cookies.
4
- # If you change this key, all old signed cookies will become invalid!
5
- # Make sure the secret is at least 30 characters and all random,
6
- # no regular words or you'll be exposed to dictionary attacks.
7
- Rails3212::Application.config.secret_token = '8dd5aabfbd49f9bce1c5b7dee79d7349cb869f54984ead01f7a272e6f75a58413f621733855906dc9cc249b9486d95583519096d92e77b910f82ba4a90326db7'
@@ -1,8 +0,0 @@
1
- # Be sure to restart your server when you modify this file.
2
-
3
- Rails3212::Application.config.session_store :cookie_store, :key => '_rails_3_2_12_session'
4
-
5
- # Use the database for sessions instead of the cookie-based default,
6
- # which shouldn't be used to store highly confidential information
7
- # (create the session table with "rails generate session_migration")
8
- # Rails3212::Application.config.session_store :active_record_store
@@ -1,14 +0,0 @@
1
- # Be sure to restart your server when you modify this file.
2
- #
3
- # This file contains settings for ActionController::ParamsWrapper which
4
- # is enabled by default.
5
-
6
- # Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
7
- ActiveSupport.on_load(:action_controller) do
8
- wrap_parameters :format => [:json]
9
- end
10
-
11
- # Disable root element in JSON by default.
12
- ActiveSupport.on_load(:active_record) do
13
- self.include_root_in_json = false
14
- end
@@ -1,5 +0,0 @@
1
- # Sample localization file for English. Add more files in this directory for other locales.
2
- # See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points.
3
-
4
- en:
5
- hello: "Hello world"