secure_headers 1.3.0 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.travis.yml +0 -3
- data/Gemfile +2 -3
- data/HISTORY.md +35 -0
- data/README.md +19 -1
- data/app/controllers/content_security_policy_controller.rb +1 -0
- data/fixtures/rails_3_2_12/Gemfile +0 -6
- data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +0 -3
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +0 -54
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +5 -0
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +5 -0
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -7
- data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
- data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
- data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +5 -0
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +5 -0
- data/lib/secure_headers/headers/content_security_policy.rb +19 -5
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/railtie.rb +6 -2
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers.rb +9 -2
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -0
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +1 -0
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -1
- data/spec/lib/secure_headers_spec.rb +28 -2
- data/spec/spec_helper.rb +1 -0
- metadata +12 -36
- checksums.yaml +0 -15
- data/Guardfile +0 -6
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
- data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
- data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
|
@@ -4,7 +4,7 @@ module SecureHeaders
|
|
|
4
4
|
module Constants
|
|
5
5
|
X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
|
|
6
6
|
DEFAULT_VALUE = "1"
|
|
7
|
-
VALID_X_XSS_HEADER = /\A[01](; mode=block)?\z/i
|
|
7
|
+
VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
|
|
8
8
|
end
|
|
9
9
|
include Constants
|
|
10
10
|
|
|
@@ -26,6 +26,7 @@ module SecureHeaders
|
|
|
26
26
|
else
|
|
27
27
|
value = @config[:value].to_s
|
|
28
28
|
value += "; mode=#{@config[:mode]}" if @config[:mode]
|
|
29
|
+
value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
|
|
29
30
|
value
|
|
30
31
|
end
|
|
31
32
|
end
|
|
@@ -3,7 +3,11 @@ if defined?(Rails::Railtie)
|
|
|
3
3
|
module SecureHeaders
|
|
4
4
|
class Railtie < Rails::Engine
|
|
5
5
|
isolate_namespace ::SecureHeaders if defined? isolate_namespace # rails 3.0
|
|
6
|
-
|
|
6
|
+
initializer "secure_headers.action_controller" do
|
|
7
|
+
ActiveSupport.on_load(:action_controller) do
|
|
8
|
+
include ::SecureHeaders
|
|
9
|
+
end
|
|
10
|
+
end
|
|
7
11
|
end
|
|
8
12
|
end
|
|
9
13
|
else
|
|
@@ -34,4 +38,4 @@ else
|
|
|
34
38
|
if defined? ActionController::Routing
|
|
35
39
|
ActionController::Routing::RouteSet::Mapper.send :include, ::SecureHeaders::Routing::MapperExtensions
|
|
36
40
|
end
|
|
37
|
-
end
|
|
41
|
+
end
|
data/lib/secure_headers.rb
CHANGED
|
@@ -2,7 +2,7 @@ module SecureHeaders
|
|
|
2
2
|
module Configuration
|
|
3
3
|
class << self
|
|
4
4
|
attr_accessor :hsts, :x_frame_options, :x_content_type_options,
|
|
5
|
-
:x_xss_protection, :csp
|
|
5
|
+
:x_xss_protection, :csp, :x_download_options
|
|
6
6
|
|
|
7
7
|
def configure &block
|
|
8
8
|
instance_eval &block
|
|
@@ -38,6 +38,7 @@ module SecureHeaders
|
|
|
38
38
|
before_filter :set_csp_header
|
|
39
39
|
before_filter :set_x_xss_protection_header
|
|
40
40
|
before_filter :set_x_content_type_options_header
|
|
41
|
+
before_filter :set_x_download_options_header
|
|
41
42
|
end
|
|
42
43
|
|
|
43
44
|
# we can't use ||= because I'm overloading false => disable, nil => default
|
|
@@ -55,6 +56,7 @@ module SecureHeaders
|
|
|
55
56
|
set_x_frame_options_header(options[:x_frame_options])
|
|
56
57
|
set_x_xss_protection_header(options[:x_xss_protection])
|
|
57
58
|
set_x_content_type_options_header(options[:x_content_type_options])
|
|
59
|
+
set_x_download_options_header(options[:x_download_options])
|
|
58
60
|
end
|
|
59
61
|
|
|
60
62
|
# backwards compatibility jank, to be removed in 1.0. Old API required a request
|
|
@@ -99,6 +101,10 @@ module SecureHeaders
|
|
|
99
101
|
set_a_header(:hsts, StrictTransportSecurity, options)
|
|
100
102
|
end
|
|
101
103
|
|
|
104
|
+
def set_x_download_options_header(options=self.class.secure_headers_options[:x_download_options])
|
|
105
|
+
set_a_header(:x_download_options, XDownloadOptions, options)
|
|
106
|
+
end
|
|
107
|
+
|
|
102
108
|
private
|
|
103
109
|
|
|
104
110
|
def set_a_header(name, klass, options=nil)
|
|
@@ -120,7 +126,7 @@ module SecureHeaders
|
|
|
120
126
|
end
|
|
121
127
|
end
|
|
122
128
|
|
|
123
|
-
|
|
129
|
+
require "securerandom"
|
|
124
130
|
require "secure_headers/version"
|
|
125
131
|
require "secure_headers/header"
|
|
126
132
|
require "secure_headers/headers/content_security_policy"
|
|
@@ -128,4 +134,5 @@ require "secure_headers/headers/x_frame_options"
|
|
|
128
134
|
require "secure_headers/headers/strict_transport_security"
|
|
129
135
|
require "secure_headers/headers/x_xss_protection"
|
|
130
136
|
require "secure_headers/headers/x_content_type_options"
|
|
137
|
+
require "secure_headers/headers/x_download_options"
|
|
131
138
|
require "secure_headers/railtie"
|
|
@@ -79,6 +79,18 @@ module SecureHeaders
|
|
|
79
79
|
expect(csp.value).to include("script-src 'unsafe-inline' 'unsafe-eval' https://* data: 'self' 'none'")
|
|
80
80
|
end
|
|
81
81
|
|
|
82
|
+
it "adds a @enforce and @app_name variables to the report uri" do
|
|
83
|
+
opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => 'twitter')
|
|
84
|
+
csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
|
|
85
|
+
expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
it "does not add an empty @app_name variable to the report uri" do
|
|
89
|
+
opts = @opts.merge(:tag_report_uri => true, :enforce => true)
|
|
90
|
+
csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
|
|
91
|
+
expect(csp.value).to include("/csp_report?enforce=true")
|
|
92
|
+
end
|
|
93
|
+
|
|
82
94
|
it "accepts procs for report-uris" do
|
|
83
95
|
opts = {
|
|
84
96
|
:default_src => 'self',
|
|
@@ -10,6 +10,7 @@ module SecureHeaders
|
|
|
10
10
|
specify { expect(StrictTransportSecurity.new(:max_age => '1234').value).to eq("max-age=1234")}
|
|
11
11
|
specify { expect(StrictTransportSecurity.new(:max_age => 1234).value).to eq("max-age=1234")}
|
|
12
12
|
specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains")}
|
|
13
|
+
specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")}
|
|
13
14
|
|
|
14
15
|
context "with an invalid configuration" do
|
|
15
16
|
context "with a hash argument" do
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
module SecureHeaders
|
|
2
|
+
describe XDownloadOptions do
|
|
3
|
+
specify { expect(XDownloadOptions.new.name).to eq(XDO_HEADER_NAME)}
|
|
4
|
+
specify { expect(XDownloadOptions.new.value).to eq("noopen")}
|
|
5
|
+
specify { expect(XDownloadOptions.new('noopen').value).to eq('noopen')}
|
|
6
|
+
specify { expect(XDownloadOptions.new(:value => 'noopen').value).to eq('noopen') }
|
|
7
|
+
|
|
8
|
+
context "invalid configuration values" do
|
|
9
|
+
it "accepts noopen" do
|
|
10
|
+
expect {
|
|
11
|
+
XDownloadOptions.new("noopen")
|
|
12
|
+
}.not_to raise_error
|
|
13
|
+
|
|
14
|
+
expect {
|
|
15
|
+
XDownloadOptions.new(:value => "noopen")
|
|
16
|
+
}.not_to raise_error
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
it "accepts nil" do
|
|
20
|
+
expect {
|
|
21
|
+
XDownloadOptions.new
|
|
22
|
+
}.not_to raise_error
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
it "doesn't accept anything besides noopen" do
|
|
26
|
+
expect {
|
|
27
|
+
XContentTypeOptions.new("open")
|
|
28
|
+
}.to raise_error
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -4,6 +4,7 @@ module SecureHeaders
|
|
|
4
4
|
specify { expect(XXssProtection.new.value).to eq("1")}
|
|
5
5
|
specify { expect(XXssProtection.new("0").value).to eq("0")}
|
|
6
6
|
specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') }
|
|
7
|
+
specify { expect(XXssProtection.new(:value => 1, :mode => 'block', :report_uri => 'https://www.secure.com/reports').value).to eq('1; mode=block; report=https://www.secure.com/reports') }
|
|
7
8
|
|
|
8
9
|
context "with invalid configuration" do
|
|
9
10
|
it "should raise an error when providing a string that is not valid" do
|
|
@@ -50,4 +51,4 @@ module SecureHeaders
|
|
|
50
51
|
|
|
51
52
|
end
|
|
52
53
|
end
|
|
53
|
-
end
|
|
54
|
+
end
|
|
@@ -54,6 +54,7 @@ describe SecureHeaders do
|
|
|
54
54
|
config.x_content_type_options = nil
|
|
55
55
|
config.x_xss_protection = nil
|
|
56
56
|
config.csp = nil
|
|
57
|
+
config.x_download_options = nil
|
|
57
58
|
end
|
|
58
59
|
end
|
|
59
60
|
|
|
@@ -63,12 +64,13 @@ describe SecureHeaders do
|
|
|
63
64
|
subject.set_x_frame_options_header
|
|
64
65
|
subject.set_x_content_type_options_header
|
|
65
66
|
subject.set_x_xss_protection_header
|
|
67
|
+
subject.set_x_download_options_header
|
|
66
68
|
end
|
|
67
69
|
|
|
68
70
|
describe "#ensure_security_headers" do
|
|
69
71
|
it "sets a before filter" do
|
|
70
72
|
options = {}
|
|
71
|
-
expect(DummyClass).to receive(:before_filter).exactly(
|
|
73
|
+
expect(DummyClass).to receive(:before_filter).exactly(6).times
|
|
72
74
|
DummyClass.ensure_security_headers(options)
|
|
73
75
|
end
|
|
74
76
|
end
|
|
@@ -92,13 +94,14 @@ describe SecureHeaders do
|
|
|
92
94
|
USER_AGENTS.each do |name, useragent|
|
|
93
95
|
it "sets all default headers for #{name} (smoke test)" do
|
|
94
96
|
stub_user_agent(useragent)
|
|
95
|
-
number_of_headers =
|
|
97
|
+
number_of_headers = 6
|
|
96
98
|
expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
|
|
97
99
|
subject.set_csp_header
|
|
98
100
|
subject.set_x_frame_options_header
|
|
99
101
|
subject.set_hsts_header
|
|
100
102
|
subject.set_x_xss_protection_header
|
|
101
103
|
subject.set_x_content_type_options_header
|
|
104
|
+
subject.set_x_download_options_header
|
|
102
105
|
end
|
|
103
106
|
end
|
|
104
107
|
|
|
@@ -113,6 +116,11 @@ describe SecureHeaders do
|
|
|
113
116
|
subject.set_x_xss_protection_header(false)
|
|
114
117
|
end
|
|
115
118
|
|
|
119
|
+
it "does not set the X-Download-Options header if disabled" do
|
|
120
|
+
should_not_assign_header(XDO_HEADER_NAME)
|
|
121
|
+
subject.set_x_download_options_header(false)
|
|
122
|
+
end
|
|
123
|
+
|
|
116
124
|
it "does not set the X-Frame-Options header if disabled" do
|
|
117
125
|
should_not_assign_header(XFO_HEADER_NAME)
|
|
118
126
|
subject.set_x_frame_options_header(false)
|
|
@@ -143,6 +151,7 @@ describe SecureHeaders do
|
|
|
143
151
|
config.x_content_type_options = false
|
|
144
152
|
config.x_xss_protection = false
|
|
145
153
|
config.csp = false
|
|
154
|
+
config.x_download_options = false
|
|
146
155
|
end
|
|
147
156
|
expect(subject).not_to receive(:set_header)
|
|
148
157
|
set_security_headers(subject)
|
|
@@ -163,6 +172,18 @@ describe SecureHeaders do
|
|
|
163
172
|
end
|
|
164
173
|
end
|
|
165
174
|
|
|
175
|
+
describe "#set_x_download_options_header" do
|
|
176
|
+
it "sets the X-Download-Options header" do
|
|
177
|
+
should_assign_header(XDO_HEADER_NAME, SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
|
178
|
+
subject.set_x_download_options_header
|
|
179
|
+
end
|
|
180
|
+
|
|
181
|
+
it "allows a custom X-Download-Options header" do
|
|
182
|
+
should_assign_header(XDO_HEADER_NAME, "noopen")
|
|
183
|
+
subject.set_x_download_options_header(:value => 'noopen')
|
|
184
|
+
end
|
|
185
|
+
end
|
|
186
|
+
|
|
166
187
|
describe "#set_strict_transport_security" do
|
|
167
188
|
it "sets the Strict-Transport-Security header" do
|
|
168
189
|
should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
|
@@ -178,6 +199,11 @@ describe SecureHeaders do
|
|
|
178
199
|
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
|
|
179
200
|
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
|
|
180
201
|
end
|
|
202
|
+
|
|
203
|
+
it "allows you to specify preload" do
|
|
204
|
+
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")
|
|
205
|
+
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true)
|
|
206
|
+
end
|
|
181
207
|
end
|
|
182
208
|
|
|
183
209
|
describe "#set_x_xss_protection" do
|
data/spec/spec_helper.rb
CHANGED
|
@@ -8,3 +8,4 @@ include ::SecureHeaders::ContentSecurityPolicy::Constants
|
|
|
8
8
|
include ::SecureHeaders::XFrameOptions::Constants
|
|
9
9
|
include ::SecureHeaders::XXssProtection::Constants
|
|
10
10
|
include ::SecureHeaders::XContentTypeOptions::Constants
|
|
11
|
+
include ::SecureHeaders::XDownloadOptions::Constants
|
metadata
CHANGED
|
@@ -1,18 +1,20 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.4.0
|
|
5
|
+
prerelease:
|
|
5
6
|
platform: ruby
|
|
6
7
|
authors:
|
|
7
8
|
- Neil Matatall
|
|
8
9
|
autorequire:
|
|
9
10
|
bindir: bin
|
|
10
11
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
12
|
+
date: 2014-12-06 00:00:00.000000000 Z
|
|
12
13
|
dependencies:
|
|
13
14
|
- !ruby/object:Gem::Dependency
|
|
14
15
|
name: rake
|
|
15
16
|
requirement: !ruby/object:Gem::Requirement
|
|
17
|
+
none: false
|
|
16
18
|
requirements:
|
|
17
19
|
- - ! '>='
|
|
18
20
|
- !ruby/object:Gem::Version
|
|
@@ -20,6 +22,7 @@ dependencies:
|
|
|
20
22
|
type: :development
|
|
21
23
|
prerelease: false
|
|
22
24
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
+
none: false
|
|
23
26
|
requirements:
|
|
24
27
|
- - ! '>='
|
|
25
28
|
- !ruby/object:Gem::Version
|
|
@@ -36,7 +39,6 @@ files:
|
|
|
36
39
|
- .ruby-version
|
|
37
40
|
- .travis.yml
|
|
38
41
|
- Gemfile
|
|
39
|
-
- Guardfile
|
|
40
42
|
- HISTORY.md
|
|
41
43
|
- LICENSE
|
|
42
44
|
- README.md
|
|
@@ -52,29 +54,16 @@ files:
|
|
|
52
54
|
- fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
|
|
53
55
|
- fixtures/rails_3_2_12/app/controllers/things_controller.rb
|
|
54
56
|
- fixtures/rails_3_2_12/app/models/.gitkeep
|
|
55
|
-
- fixtures/rails_3_2_12/app/models/thing.rb
|
|
56
57
|
- fixtures/rails_3_2_12/app/views/layouts/application.html.erb
|
|
57
58
|
- fixtures/rails_3_2_12/app/views/other_things/index.html.erb
|
|
58
59
|
- fixtures/rails_3_2_12/app/views/things/index.html.erb
|
|
59
60
|
- fixtures/rails_3_2_12/config.ru
|
|
60
61
|
- fixtures/rails_3_2_12/config/application.rb
|
|
61
62
|
- fixtures/rails_3_2_12/config/boot.rb
|
|
62
|
-
- fixtures/rails_3_2_12/config/database.yml
|
|
63
63
|
- fixtures/rails_3_2_12/config/environment.rb
|
|
64
|
-
- fixtures/rails_3_2_12/config/environments/development.rb
|
|
65
|
-
- fixtures/rails_3_2_12/config/environments/production.rb
|
|
66
64
|
- fixtures/rails_3_2_12/config/environments/test.rb
|
|
67
|
-
- fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
|
|
68
|
-
- fixtures/rails_3_2_12/config/initializers/inflections.rb
|
|
69
|
-
- fixtures/rails_3_2_12/config/initializers/mime_types.rb
|
|
70
|
-
- fixtures/rails_3_2_12/config/initializers/secret_token.rb
|
|
71
65
|
- fixtures/rails_3_2_12/config/initializers/secure_headers.rb
|
|
72
|
-
- fixtures/rails_3_2_12/config/initializers/session_store.rb
|
|
73
|
-
- fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
|
|
74
|
-
- fixtures/rails_3_2_12/config/locales/en.yml
|
|
75
66
|
- fixtures/rails_3_2_12/config/routes.rb
|
|
76
|
-
- fixtures/rails_3_2_12/db/schema.rb
|
|
77
|
-
- fixtures/rails_3_2_12/db/seeds.rb
|
|
78
67
|
- fixtures/rails_3_2_12/lib/assets/.gitkeep
|
|
79
68
|
- fixtures/rails_3_2_12/lib/tasks/.gitkeep
|
|
80
69
|
- fixtures/rails_3_2_12/log/.gitkeep
|
|
@@ -92,32 +81,15 @@ files:
|
|
|
92
81
|
- fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
|
|
93
82
|
- fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
|
|
94
83
|
- fixtures/rails_3_2_12_no_init/app/models/.gitkeep
|
|
95
|
-
- fixtures/rails_3_2_12_no_init/app/models/thing.rb
|
|
96
84
|
- fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
|
|
97
85
|
- fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
|
|
98
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
|
|
99
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
|
|
100
86
|
- fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
|
|
101
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
|
|
102
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
|
|
103
87
|
- fixtures/rails_3_2_12_no_init/config.ru
|
|
104
88
|
- fixtures/rails_3_2_12_no_init/config/application.rb
|
|
105
89
|
- fixtures/rails_3_2_12_no_init/config/boot.rb
|
|
106
|
-
- fixtures/rails_3_2_12_no_init/config/database.yml
|
|
107
90
|
- fixtures/rails_3_2_12_no_init/config/environment.rb
|
|
108
|
-
- fixtures/rails_3_2_12_no_init/config/environments/development.rb
|
|
109
|
-
- fixtures/rails_3_2_12_no_init/config/environments/production.rb
|
|
110
91
|
- fixtures/rails_3_2_12_no_init/config/environments/test.rb
|
|
111
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
|
|
112
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
|
|
113
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
|
|
114
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
|
|
115
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
|
|
116
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
|
|
117
|
-
- fixtures/rails_3_2_12_no_init/config/locales/en.yml
|
|
118
92
|
- fixtures/rails_3_2_12_no_init/config/routes.rb
|
|
119
|
-
- fixtures/rails_3_2_12_no_init/db/schema.rb
|
|
120
|
-
- fixtures/rails_3_2_12_no_init/db/seeds.rb
|
|
121
93
|
- fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
|
|
122
94
|
- fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
|
|
123
95
|
- fixtures/rails_3_2_12_no_init/log/.gitkeep
|
|
@@ -132,6 +104,7 @@ files:
|
|
|
132
104
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
133
105
|
- lib/secure_headers/headers/strict_transport_security.rb
|
|
134
106
|
- lib/secure_headers/headers/x_content_type_options.rb
|
|
107
|
+
- lib/secure_headers/headers/x_download_options.rb
|
|
135
108
|
- lib/secure_headers/headers/x_frame_options.rb
|
|
136
109
|
- lib/secure_headers/headers/x_xss_protection.rb
|
|
137
110
|
- lib/secure_headers/padrino.rb
|
|
@@ -142,6 +115,7 @@ files:
|
|
|
142
115
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
143
116
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
144
117
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
118
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
|
145
119
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
|
146
120
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
147
121
|
- spec/lib/secure_headers_spec.rb
|
|
@@ -150,26 +124,27 @@ files:
|
|
|
150
124
|
homepage: https://github.com/twitter/secureheaders
|
|
151
125
|
licenses:
|
|
152
126
|
- Apache Public License 2.0
|
|
153
|
-
metadata: {}
|
|
154
127
|
post_install_message:
|
|
155
128
|
rdoc_options: []
|
|
156
129
|
require_paths:
|
|
157
130
|
- lib
|
|
158
131
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
132
|
+
none: false
|
|
159
133
|
requirements:
|
|
160
134
|
- - ! '>='
|
|
161
135
|
- !ruby/object:Gem::Version
|
|
162
136
|
version: '0'
|
|
163
137
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
138
|
+
none: false
|
|
164
139
|
requirements:
|
|
165
140
|
- - ! '>='
|
|
166
141
|
- !ruby/object:Gem::Version
|
|
167
142
|
version: '0'
|
|
168
143
|
requirements: []
|
|
169
144
|
rubyforge_project:
|
|
170
|
-
rubygems_version:
|
|
145
|
+
rubygems_version: 1.8.23
|
|
171
146
|
signing_key:
|
|
172
|
-
specification_version:
|
|
147
|
+
specification_version: 3
|
|
173
148
|
summary: Add easily configured browser headers to responses including content security
|
|
174
149
|
policy, x-frame-options, strict-transport-security and more.
|
|
175
150
|
test_files:
|
|
@@ -177,6 +152,7 @@ test_files:
|
|
|
177
152
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
178
153
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
179
154
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
155
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
|
180
156
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
|
181
157
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
182
158
|
- spec/lib/secure_headers_spec.rb
|
checksums.yaml
DELETED
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
!binary "U0hBMQ==":
|
|
3
|
-
metadata.gz: !binary |-
|
|
4
|
-
NTdiMjdmYmVhNzk2MWQ3YmEwNDNjOWQ0YmZhZDZkNTAyNDlmYmQ1ZQ==
|
|
5
|
-
data.tar.gz: !binary |-
|
|
6
|
-
ZTIyYjBjNmM5ZTU5YzRhZjU4MjdmNTcwNDAzMjMyZjJlOTFjOWYxMA==
|
|
7
|
-
SHA512:
|
|
8
|
-
metadata.gz: !binary |-
|
|
9
|
-
NzRjM2QwM2IwZjIyZDMzYzY3OWE2MGVmZTEyNjU3MmQwMzhiODcxYjRlZDlh
|
|
10
|
-
ODFmMmExNzgxNDkzN2U5YWFiNGFjYWMwYjUxNGNiMmJiOWM4ZTA0ZmY3Y2Mz
|
|
11
|
-
MjFlMTRlNzdiMGQ0MDY5NTM1YTkyNGMxOGJjMDRmMjkyZTIyMjA=
|
|
12
|
-
data.tar.gz: !binary |-
|
|
13
|
-
N2I3MzExNWM5MGFjZDI3YjBjMDlkNjgyNWUyODcyZGU3N2NmMjVjZTZkMWVi
|
|
14
|
-
Y2FiYmI4YjY3NzRkYzM3NWNkNjE0MGE4ZWMwMjhlMGJhYTI0NmIwYmY4MGFi
|
|
15
|
-
YjlhNjdkMTQ1YWQ0NTYwNGJiZmMxMzA3MjlkNmMyMDgyZjhlY2E=
|
data/Guardfile
DELETED
|
@@ -1,25 +0,0 @@
|
|
|
1
|
-
# SQLite version 3.x
|
|
2
|
-
# gem install sqlite3
|
|
3
|
-
#
|
|
4
|
-
# Ensure the SQLite 3 gem is defined in your Gemfile
|
|
5
|
-
# gem 'sqlite3'
|
|
6
|
-
development:
|
|
7
|
-
adapter: sqlite3
|
|
8
|
-
database: db/development.sqlite3
|
|
9
|
-
pool: 5
|
|
10
|
-
timeout: 5000
|
|
11
|
-
|
|
12
|
-
# Warning: The database defined as "test" will be erased and
|
|
13
|
-
# re-generated from your development database when you run "rake".
|
|
14
|
-
# Do not set this db to the same as development or production.
|
|
15
|
-
test:
|
|
16
|
-
adapter: sqlite3
|
|
17
|
-
database: db/test.sqlite3
|
|
18
|
-
pool: 5
|
|
19
|
-
timeout: 5000
|
|
20
|
-
|
|
21
|
-
production:
|
|
22
|
-
adapter: sqlite3
|
|
23
|
-
database: db/production.sqlite3
|
|
24
|
-
pool: 5
|
|
25
|
-
timeout: 5000
|
|
@@ -1,37 +0,0 @@
|
|
|
1
|
-
Rails3212::Application.configure do
|
|
2
|
-
# Settings specified here will take precedence over those in config/application.rb
|
|
3
|
-
|
|
4
|
-
# In the development environment your application's code is reloaded on
|
|
5
|
-
# every request. This slows down response time but is perfect for development
|
|
6
|
-
# since you don't have to restart the web server when you make code changes.
|
|
7
|
-
config.cache_classes = false
|
|
8
|
-
|
|
9
|
-
# Log error messages when you accidentally call methods on nil.
|
|
10
|
-
config.whiny_nils = true
|
|
11
|
-
|
|
12
|
-
# Show full error reports and disable caching
|
|
13
|
-
config.consider_all_requests_local = true
|
|
14
|
-
config.action_controller.perform_caching = false
|
|
15
|
-
|
|
16
|
-
# Don't care if the mailer can't send
|
|
17
|
-
config.action_mailer.raise_delivery_errors = false
|
|
18
|
-
|
|
19
|
-
# Print deprecation notices to the Rails logger
|
|
20
|
-
config.active_support.deprecation = :log
|
|
21
|
-
|
|
22
|
-
# Only use best-standards-support built into browsers
|
|
23
|
-
config.action_dispatch.best_standards_support = :builtin
|
|
24
|
-
|
|
25
|
-
# Raise exception on mass assignment protection for Active Record models
|
|
26
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
|
27
|
-
|
|
28
|
-
# Log the query plan for queries taking more than this (works
|
|
29
|
-
# with SQLite, MySQL, and PostgreSQL)
|
|
30
|
-
config.active_record.auto_explain_threshold_in_seconds = 0.5
|
|
31
|
-
|
|
32
|
-
# Do not compress assets
|
|
33
|
-
config.assets.compress = false
|
|
34
|
-
|
|
35
|
-
# Expands the lines which load the assets
|
|
36
|
-
config.assets.debug = true
|
|
37
|
-
end
|
|
@@ -1,67 +0,0 @@
|
|
|
1
|
-
Rails3212::Application.configure do
|
|
2
|
-
# Settings specified here will take precedence over those in config/application.rb
|
|
3
|
-
|
|
4
|
-
# Code is not reloaded between requests
|
|
5
|
-
config.cache_classes = true
|
|
6
|
-
|
|
7
|
-
# Full error reports are disabled and caching is turned on
|
|
8
|
-
config.consider_all_requests_local = false
|
|
9
|
-
config.action_controller.perform_caching = true
|
|
10
|
-
|
|
11
|
-
# Disable Rails's static asset server (Apache or nginx will already do this)
|
|
12
|
-
config.serve_static_assets = false
|
|
13
|
-
|
|
14
|
-
# Compress JavaScripts and CSS
|
|
15
|
-
config.assets.compress = true
|
|
16
|
-
|
|
17
|
-
# Don't fallback to assets pipeline if a precompiled asset is missed
|
|
18
|
-
config.assets.compile = false
|
|
19
|
-
|
|
20
|
-
# Generate digests for assets URLs
|
|
21
|
-
config.assets.digest = true
|
|
22
|
-
|
|
23
|
-
# Defaults to nil and saved in location specified by config.assets.prefix
|
|
24
|
-
# config.assets.manifest = YOUR_PATH
|
|
25
|
-
|
|
26
|
-
# Specifies the header that your server uses for sending files
|
|
27
|
-
# config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
|
|
28
|
-
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
|
|
29
|
-
|
|
30
|
-
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
|
|
31
|
-
# config.force_ssl = true
|
|
32
|
-
|
|
33
|
-
# See everything in the log (default is :info)
|
|
34
|
-
# config.log_level = :debug
|
|
35
|
-
|
|
36
|
-
# Prepend all log lines with the following tags
|
|
37
|
-
# config.log_tags = [ :subdomain, :uuid ]
|
|
38
|
-
|
|
39
|
-
# Use a different logger for distributed setups
|
|
40
|
-
# config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
|
|
41
|
-
|
|
42
|
-
# Use a different cache store in production
|
|
43
|
-
# config.cache_store = :mem_cache_store
|
|
44
|
-
|
|
45
|
-
# Enable serving of images, stylesheets, and JavaScripts from an asset server
|
|
46
|
-
# config.action_controller.asset_host = "http://assets.example.com"
|
|
47
|
-
|
|
48
|
-
# Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
|
|
49
|
-
# config.assets.precompile += %w( search.js )
|
|
50
|
-
|
|
51
|
-
# Disable delivery errors, bad email addresses will be ignored
|
|
52
|
-
# config.action_mailer.raise_delivery_errors = false
|
|
53
|
-
|
|
54
|
-
# Enable threaded mode
|
|
55
|
-
# config.threadsafe!
|
|
56
|
-
|
|
57
|
-
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to
|
|
58
|
-
# the I18n.default_locale when a translation can not be found)
|
|
59
|
-
config.i18n.fallbacks = true
|
|
60
|
-
|
|
61
|
-
# Send deprecation notices to registered listeners
|
|
62
|
-
config.active_support.deprecation = :notify
|
|
63
|
-
|
|
64
|
-
# Log the query plan for queries taking more than this (works
|
|
65
|
-
# with SQLite, MySQL, and PostgreSQL)
|
|
66
|
-
# config.active_record.auto_explain_threshold_in_seconds = 0.5
|
|
67
|
-
end
|
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
# Be sure to restart your server when you modify this file.
|
|
2
|
-
|
|
3
|
-
# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
|
|
4
|
-
# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
|
|
5
|
-
|
|
6
|
-
# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
|
|
7
|
-
# Rails.backtrace_cleaner.remove_silencers!
|
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
# Be sure to restart your server when you modify this file.
|
|
2
|
-
|
|
3
|
-
# Add new inflection rules using the following format
|
|
4
|
-
# (all these examples are active by default):
|
|
5
|
-
# ActiveSupport::Inflector.inflections do |inflect|
|
|
6
|
-
# inflect.plural /^(ox)$/i, '\1en'
|
|
7
|
-
# inflect.singular /^(ox)en/i, '\1'
|
|
8
|
-
# inflect.irregular 'person', 'people'
|
|
9
|
-
# inflect.uncountable %w( fish sheep )
|
|
10
|
-
# end
|
|
11
|
-
#
|
|
12
|
-
# These inflection rules are supported but not enabled by default:
|
|
13
|
-
# ActiveSupport::Inflector.inflections do |inflect|
|
|
14
|
-
# inflect.acronym 'RESTful'
|
|
15
|
-
# end
|
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
# Be sure to restart your server when you modify this file.
|
|
2
|
-
|
|
3
|
-
# Your secret key for verifying the integrity of signed cookies.
|
|
4
|
-
# If you change this key, all old signed cookies will become invalid!
|
|
5
|
-
# Make sure the secret is at least 30 characters and all random,
|
|
6
|
-
# no regular words or you'll be exposed to dictionary attacks.
|
|
7
|
-
Rails3212::Application.config.secret_token = '8dd5aabfbd49f9bce1c5b7dee79d7349cb869f54984ead01f7a272e6f75a58413f621733855906dc9cc249b9486d95583519096d92e77b910f82ba4a90326db7'
|
|
@@ -1,8 +0,0 @@
|
|
|
1
|
-
# Be sure to restart your server when you modify this file.
|
|
2
|
-
|
|
3
|
-
Rails3212::Application.config.session_store :cookie_store, :key => '_rails_3_2_12_session'
|
|
4
|
-
|
|
5
|
-
# Use the database for sessions instead of the cookie-based default,
|
|
6
|
-
# which shouldn't be used to store highly confidential information
|
|
7
|
-
# (create the session table with "rails generate session_migration")
|
|
8
|
-
# Rails3212::Application.config.session_store :active_record_store
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
# Be sure to restart your server when you modify this file.
|
|
2
|
-
#
|
|
3
|
-
# This file contains settings for ActionController::ParamsWrapper which
|
|
4
|
-
# is enabled by default.
|
|
5
|
-
|
|
6
|
-
# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
|
|
7
|
-
ActiveSupport.on_load(:action_controller) do
|
|
8
|
-
wrap_parameters :format => [:json]
|
|
9
|
-
end
|
|
10
|
-
|
|
11
|
-
# Disable root element in JSON by default.
|
|
12
|
-
ActiveSupport.on_load(:active_record) do
|
|
13
|
-
self.include_root_in_json = false
|
|
14
|
-
end
|