secure_headers 1.3.3 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. data/.gitignore +4 -8
  2. data/.travis.yml +7 -4
  3. data/Gemfile +6 -7
  4. data/README.md +115 -79
  5. data/Rakefile +11 -116
  6. data/fixtures/rails_3_2_12/Gemfile +0 -6
  7. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  8. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
  9. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  10. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
  11. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  12. data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
  13. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +2 -1
  14. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  15. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  16. data/fixtures/rails_3_2_12/config.ru +3 -0
  17. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +58 -16
  18. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +11 -1
  19. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -7
  20. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  21. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  22. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  23. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  24. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
  25. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
  26. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  27. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +10 -0
  28. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +10 -0
  29. data/fixtures/rails_4_1_8/Gemfile +5 -0
  30. data/fixtures/rails_4_1_8/README.rdoc +28 -0
  31. data/fixtures/rails_4_1_8/Rakefile +6 -0
  32. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
  33. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  34. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
  35. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
  36. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  37. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  38. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
  39. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
  40. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
  41. data/fixtures/rails_4_1_8/config/application.rb +15 -0
  42. data/fixtures/rails_4_1_8/config/boot.rb +4 -0
  43. data/fixtures/rails_4_1_8/config/environment.rb +5 -0
  44. data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
  45. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
  46. data/fixtures/rails_4_1_8/config/routes.rb +4 -0
  47. data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
  48. data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
  49. data/fixtures/rails_4_1_8/config.ru +4 -0
  50. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  51. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  52. data/fixtures/rails_4_1_8/log/.keep +0 -0
  53. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
  54. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
  55. data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
  56. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  57. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  58. data/lib/secure_headers/hash_helper.rb +7 -0
  59. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  60. data/lib/secure_headers/headers/content_security_policy.rb +141 -133
  61. data/lib/secure_headers/headers/x_download_options.rb +39 -0
  62. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
  63. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  64. data/lib/secure_headers/railtie.rb +19 -24
  65. data/lib/secure_headers/version.rb +1 -1
  66. data/lib/secure_headers/view_helper.rb +68 -0
  67. data/lib/secure_headers.rb +65 -16
  68. data/lib/tasks/tasks.rake +48 -0
  69. data/secure_headers.gemspec +4 -4
  70. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  71. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
  72. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
  73. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
  74. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -1
  75. data/spec/lib/secure_headers_spec.rb +57 -61
  76. data/spec/spec_helper.rb +27 -1
  77. metadata +47 -42
  78. data/Guardfile +0 -6
  79. data/HISTORY.md +0 -155
  80. data/app/controllers/content_security_policy_controller.rb +0 -75
  81. data/config/curl-ca-bundle.crt +0 -5420
  82. data/config/routes.rb +0 -3
  83. data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
  84. data/fixtures/rails_3_2_12/config/database.yml +0 -25
  85. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  86. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  87. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  88. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  89. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  90. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  91. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  92. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  93. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  94. data/fixtures/rails_3_2_12/db/schema.rb +0 -16
  95. data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
  96. data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
  97. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  98. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  99. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  100. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  101. data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
  102. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  103. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  104. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  105. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  106. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  107. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  108. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  109. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  110. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  111. data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
  112. data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
  113. data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
@@ -18,26 +18,7 @@ describe SecureHeaders do
18
18
  allow(subject).to receive(:request).and_return(request)
19
19
  end
20
20
 
21
- ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
22
- USER_AGENTS = {
23
- :firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
24
- :chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
25
- :ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
26
- :opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
27
- :ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
28
- :ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
29
- :safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
30
- :safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
31
- :safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
32
- }
33
-
34
- def should_assign_header name, value
35
- expect(response.headers).to receive(:[]=).with(name, value)
36
- end
37
-
38
- def should_not_assign_header name
39
- expect(response.headers).not_to receive(:[]=).with(name, anything)
40
- end
21
+ ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection, :x_permitted_cross_domain_policies].map{|header| [header, false]}]
41
22
 
42
23
  def stub_user_agent val
43
24
  allow(request).to receive_message_chain(:env, :[]).and_return(val)
@@ -54,6 +35,8 @@ describe SecureHeaders do
54
35
  config.x_content_type_options = nil
55
36
  config.x_xss_protection = nil
56
37
  config.csp = nil
38
+ config.x_download_options = nil
39
+ config.x_permitted_cross_domain_policies = nil
57
40
  end
58
41
  end
59
42
 
@@ -63,14 +46,8 @@ describe SecureHeaders do
63
46
  subject.set_x_frame_options_header
64
47
  subject.set_x_content_type_options_header
65
48
  subject.set_x_xss_protection_header
66
- end
67
-
68
- describe "#ensure_security_headers" do
69
- it "sets a before filter" do
70
- options = {}
71
- expect(DummyClass).to receive(:before_filter).exactly(5).times
72
- DummyClass.ensure_security_headers(options)
73
- end
49
+ subject.set_x_download_options_header
50
+ subject.set_x_permitted_cross_domain_policies_header
74
51
  end
75
52
 
76
53
  describe "#set_header" do
@@ -86,19 +63,18 @@ describe SecureHeaders do
86
63
  end
87
64
 
88
65
  describe "#set_security_headers" do
89
- before(:each) do
90
- allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
91
- end
92
66
  USER_AGENTS.each do |name, useragent|
93
67
  it "sets all default headers for #{name} (smoke test)" do
94
68
  stub_user_agent(useragent)
95
- number_of_headers = 5
69
+ number_of_headers = 7
96
70
  expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
97
71
  subject.set_csp_header
98
72
  subject.set_x_frame_options_header
99
73
  subject.set_hsts_header
100
74
  subject.set_x_xss_protection_header
101
75
  subject.set_x_content_type_options_header
76
+ subject.set_x_download_options_header
77
+ subject.set_x_permitted_cross_domain_policies_header
102
78
  end
103
79
  end
104
80
 
@@ -113,11 +89,21 @@ describe SecureHeaders do
113
89
  subject.set_x_xss_protection_header(false)
114
90
  end
115
91
 
92
+ it "does not set the X-Download-Options header if disabled" do
93
+ should_not_assign_header(XDO_HEADER_NAME)
94
+ subject.set_x_download_options_header(false)
95
+ end
96
+
116
97
  it "does not set the X-Frame-Options header if disabled" do
117
98
  should_not_assign_header(XFO_HEADER_NAME)
118
99
  subject.set_x_frame_options_header(false)
119
100
  end
120
101
 
102
+ it "does not set the X-Permitted-Cross-Domain-Policies header if disabled" do
103
+ should_not_assign_header(XPCDP_HEADER_NAME)
104
+ subject.set_x_permitted_cross_domain_policies_header(false)
105
+ end
106
+
121
107
  it "does not set the HSTS header if disabled" do
122
108
  should_not_assign_header(HSTS_HEADER_NAME)
123
109
  subject.set_hsts_header(false)
@@ -131,8 +117,19 @@ describe SecureHeaders do
131
117
 
132
118
  it "does not set the CSP header if disabled" do
133
119
  stub_user_agent(USER_AGENTS[:chrome])
134
- should_not_assign_header(STANDARD_HEADER_NAME)
135
- subject.set_csp_header(options_for(:csp).merge(:csp => false))
120
+ should_not_assign_header(HEADER_NAME)
121
+ subject.set_csp_header(false)
122
+ end
123
+
124
+ it "saves the options to the env when using script hashes" do
125
+ opts = {
126
+ :default_src => 'self',
127
+ :script_hash_middleware => true
128
+ }
129
+ stub_user_agent(USER_AGENTS[:chrome])
130
+
131
+ expect(SecureHeaders::ContentSecurityPolicy).to receive(:add_to_env)
132
+ subject.set_csp_header(opts)
136
133
  end
137
134
 
138
135
  context "when disabled by configuration settings" do
@@ -143,6 +140,8 @@ describe SecureHeaders do
143
140
  config.x_content_type_options = false
144
141
  config.x_xss_protection = false
145
142
  config.csp = false
143
+ config.x_download_options = false
144
+ config.x_permitted_cross_domain_policies = false
146
145
  end
147
146
  expect(subject).not_to receive(:set_header)
148
147
  set_security_headers(subject)
@@ -163,6 +162,18 @@ describe SecureHeaders do
163
162
  end
164
163
  end
165
164
 
165
+ describe "#set_x_download_options_header" do
166
+ it "sets the X-Download-Options header" do
167
+ should_assign_header(XDO_HEADER_NAME, SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
168
+ subject.set_x_download_options_header
169
+ end
170
+
171
+ it "allows a custom X-Download-Options header" do
172
+ should_assign_header(XDO_HEADER_NAME, "noopen")
173
+ subject.set_x_download_options_header(:value => 'noopen')
174
+ end
175
+ end
176
+
166
177
  describe "#set_strict_transport_security" do
167
178
  it "sets the Strict-Transport-Security header" do
168
179
  should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
@@ -226,7 +237,7 @@ describe SecureHeaders do
226
237
  context "when using Firefox" do
227
238
  it "sets CSP headers" do
228
239
  stub_user_agent(USER_AGENTS[:firefox])
229
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
240
+ should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
230
241
  subject.set_csp_header
231
242
  end
232
243
  end
@@ -234,7 +245,7 @@ describe SecureHeaders do
234
245
  context "when using Chrome" do
235
246
  it "sets default CSP header" do
236
247
  stub_user_agent(USER_AGENTS[:chrome])
237
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
248
+ should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
238
249
  subject.set_csp_header
239
250
  end
240
251
  end
@@ -242,36 +253,21 @@ describe SecureHeaders do
242
253
  context "when using a browser besides chrome/firefox" do
243
254
  it "sets the CSP header" do
244
255
  stub_user_agent(USER_AGENTS[:opera])
245
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
256
+ should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
246
257
  subject.set_csp_header
247
258
  end
248
259
  end
260
+ end
249
261
 
250
- context "when using the experimental key" do
251
- before(:each) do
252
- stub_user_agent(USER_AGENTS[:chrome])
253
- @opts = {
254
- :enforce => true,
255
- :default_src => 'self',
256
- :script_src => 'https://mycdn.example.com',
257
- :experimental => {
258
- :script_src => 'self',
259
- }
260
- }
261
- end
262
-
263
- it "does not set the header in enforce mode if experimental is supplied, but enforce is disabled" do
264
- opts = @opts.merge(:enforce => false)
265
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", anything)
266
- should_not_assign_header(STANDARD_HEADER_NAME)
267
- subject.set_csp_header(opts)
268
- end
262
+ describe "#set_x_permitted_cross_domain_policies_header" do
263
+ it "sets the X-Permitted-Cross-Domain-Policies header" do
264
+ should_assign_header(XPCDP_HEADER_NAME, SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
265
+ subject.set_x_permitted_cross_domain_policies_header
266
+ end
269
267
 
270
- it "sets a header in enforce mode as well as report-only mode" do
271
- should_assign_header(STANDARD_HEADER_NAME, anything)
272
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", anything)
273
- subject.set_csp_header(@opts)
274
- end
268
+ it "allows a custom X-Permitted-Cross-Domain-Policies header" do
269
+ should_assign_header(XPCDP_HEADER_NAME, "master-only")
270
+ subject.set_x_permitted_cross_domain_policies_header(:value => 'master-only')
275
271
  end
276
272
  end
277
273
  end
data/spec/spec_helper.rb CHANGED
@@ -2,9 +2,35 @@ require 'rubygems'
2
2
  require 'rspec'
3
3
 
4
4
  require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
5
- require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
5
+
6
+ if defined?(Coveralls)
7
+ Coveralls.wear!
8
+ end
9
+
6
10
  include ::SecureHeaders::StrictTransportSecurity::Constants
7
11
  include ::SecureHeaders::ContentSecurityPolicy::Constants
8
12
  include ::SecureHeaders::XFrameOptions::Constants
9
13
  include ::SecureHeaders::XXssProtection::Constants
10
14
  include ::SecureHeaders::XContentTypeOptions::Constants
15
+ include ::SecureHeaders::XDownloadOptions::Constants
16
+ include ::SecureHeaders::XPermittedCrossDomainPolicies::Constants
17
+
18
+ USER_AGENTS = {
19
+ :firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
20
+ :chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
21
+ :ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
22
+ :opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
23
+ :ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
24
+ :ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
25
+ :safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
26
+ :safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
27
+ :safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
28
+ }
29
+
30
+ def should_assign_header name, value
31
+ expect(response.headers).to receive(:[]=).with(name, value)
32
+ end
33
+
34
+ def should_not_assign_header name
35
+ expect(response.headers).not_to receive(:[]=).with(name, anything)
36
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.3
4
+ version: 2.0.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2014-08-15 00:00:00.000000000 Z
12
+ date: 2015-01-23 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rake
@@ -27,7 +27,7 @@ dependencies:
27
27
  - - ! '>='
28
28
  - !ruby/object:Gem::Version
29
29
  version: '0'
30
- description: Add easily configured browser headers to responses.
30
+ description: Security related headers all in one gem.
31
31
  email:
32
32
  - neil.matatall@gmail.com
33
33
  executables: []
@@ -39,14 +39,9 @@ files:
39
39
  - .ruby-version
40
40
  - .travis.yml
41
41
  - Gemfile
42
- - Guardfile
43
- - HISTORY.md
44
42
  - LICENSE
45
43
  - README.md
46
44
  - Rakefile
47
- - app/controllers/content_security_policy_controller.rb
48
- - config/curl-ca-bundle.crt
49
- - config/routes.rb
50
45
  - fixtures/rails_3_2_12/.rspec
51
46
  - fixtures/rails_3_2_12/Gemfile
52
47
  - fixtures/rails_3_2_12/README.rdoc
@@ -55,29 +50,17 @@ files:
55
50
  - fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
56
51
  - fixtures/rails_3_2_12/app/controllers/things_controller.rb
57
52
  - fixtures/rails_3_2_12/app/models/.gitkeep
58
- - fixtures/rails_3_2_12/app/models/thing.rb
59
53
  - fixtures/rails_3_2_12/app/views/layouts/application.html.erb
60
54
  - fixtures/rails_3_2_12/app/views/other_things/index.html.erb
61
55
  - fixtures/rails_3_2_12/app/views/things/index.html.erb
62
56
  - fixtures/rails_3_2_12/config.ru
63
57
  - fixtures/rails_3_2_12/config/application.rb
64
58
  - fixtures/rails_3_2_12/config/boot.rb
65
- - fixtures/rails_3_2_12/config/database.yml
66
59
  - fixtures/rails_3_2_12/config/environment.rb
67
- - fixtures/rails_3_2_12/config/environments/development.rb
68
- - fixtures/rails_3_2_12/config/environments/production.rb
69
60
  - fixtures/rails_3_2_12/config/environments/test.rb
70
- - fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
71
- - fixtures/rails_3_2_12/config/initializers/inflections.rb
72
- - fixtures/rails_3_2_12/config/initializers/mime_types.rb
73
- - fixtures/rails_3_2_12/config/initializers/secret_token.rb
74
61
  - fixtures/rails_3_2_12/config/initializers/secure_headers.rb
75
- - fixtures/rails_3_2_12/config/initializers/session_store.rb
76
- - fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
77
- - fixtures/rails_3_2_12/config/locales/en.yml
78
62
  - fixtures/rails_3_2_12/config/routes.rb
79
- - fixtures/rails_3_2_12/db/schema.rb
80
- - fixtures/rails_3_2_12/db/seeds.rb
63
+ - fixtures/rails_3_2_12/config/script_hashes.yml
81
64
  - fixtures/rails_3_2_12/lib/assets/.gitkeep
82
65
  - fixtures/rails_3_2_12/lib/tasks/.gitkeep
83
66
  - fixtures/rails_3_2_12/log/.gitkeep
@@ -95,32 +78,15 @@ files:
95
78
  - fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
96
79
  - fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
97
80
  - fixtures/rails_3_2_12_no_init/app/models/.gitkeep
98
- - fixtures/rails_3_2_12_no_init/app/models/thing.rb
99
81
  - fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
100
82
  - fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
101
- - fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
102
- - fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
103
83
  - fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
104
- - fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
105
- - fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
106
84
  - fixtures/rails_3_2_12_no_init/config.ru
107
85
  - fixtures/rails_3_2_12_no_init/config/application.rb
108
86
  - fixtures/rails_3_2_12_no_init/config/boot.rb
109
- - fixtures/rails_3_2_12_no_init/config/database.yml
110
87
  - fixtures/rails_3_2_12_no_init/config/environment.rb
111
- - fixtures/rails_3_2_12_no_init/config/environments/development.rb
112
- - fixtures/rails_3_2_12_no_init/config/environments/production.rb
113
88
  - fixtures/rails_3_2_12_no_init/config/environments/test.rb
114
- - fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
115
- - fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
116
- - fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
117
- - fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
118
- - fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
119
- - fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
120
- - fixtures/rails_3_2_12_no_init/config/locales/en.yml
121
89
  - fixtures/rails_3_2_12_no_init/config/routes.rb
122
- - fixtures/rails_3_2_12_no_init/db/schema.rb
123
- - fixtures/rails_3_2_12_no_init/db/seeds.rb
124
90
  - fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
125
91
  - fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
126
92
  - fixtures/rails_3_2_12_no_init/log/.gitkeep
@@ -130,22 +96,59 @@ files:
130
96
  - fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep
131
97
  - fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
132
98
  - fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
99
+ - fixtures/rails_4_1_8/Gemfile
100
+ - fixtures/rails_4_1_8/README.rdoc
101
+ - fixtures/rails_4_1_8/Rakefile
102
+ - fixtures/rails_4_1_8/app/controllers/application_controller.rb
103
+ - fixtures/rails_4_1_8/app/controllers/concerns/.keep
104
+ - fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
105
+ - fixtures/rails_4_1_8/app/controllers/things_controller.rb
106
+ - fixtures/rails_4_1_8/app/models/.keep
107
+ - fixtures/rails_4_1_8/app/models/concerns/.keep
108
+ - fixtures/rails_4_1_8/app/views/layouts/application.html.erb
109
+ - fixtures/rails_4_1_8/app/views/other_things/index.html.erb
110
+ - fixtures/rails_4_1_8/app/views/things/index.html.erb
111
+ - fixtures/rails_4_1_8/config.ru
112
+ - fixtures/rails_4_1_8/config/application.rb
113
+ - fixtures/rails_4_1_8/config/boot.rb
114
+ - fixtures/rails_4_1_8/config/environment.rb
115
+ - fixtures/rails_4_1_8/config/environments/test.rb
116
+ - fixtures/rails_4_1_8/config/initializers/secure_headers.rb
117
+ - fixtures/rails_4_1_8/config/routes.rb
118
+ - fixtures/rails_4_1_8/config/script_hashes.yml
119
+ - fixtures/rails_4_1_8/config/secrets.yml
120
+ - fixtures/rails_4_1_8/lib/assets/.keep
121
+ - fixtures/rails_4_1_8/lib/tasks/.keep
122
+ - fixtures/rails_4_1_8/log/.keep
123
+ - fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
124
+ - fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb
125
+ - fixtures/rails_4_1_8/spec/spec_helper.rb
126
+ - fixtures/rails_4_1_8/vendor/assets/javascripts/.keep
127
+ - fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep
133
128
  - lib/secure_headers.rb
129
+ - lib/secure_headers/hash_helper.rb
134
130
  - lib/secure_headers/header.rb
135
131
  - lib/secure_headers/headers/content_security_policy.rb
132
+ - lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
136
133
  - lib/secure_headers/headers/strict_transport_security.rb
137
134
  - lib/secure_headers/headers/x_content_type_options.rb
135
+ - lib/secure_headers/headers/x_download_options.rb
138
136
  - lib/secure_headers/headers/x_frame_options.rb
137
+ - lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
139
138
  - lib/secure_headers/headers/x_xss_protection.rb
140
139
  - lib/secure_headers/padrino.rb
141
140
  - lib/secure_headers/railtie.rb
142
141
  - lib/secure_headers/version.rb
142
+ - lib/secure_headers/view_helper.rb
143
+ - lib/tasks/tasks.rake
143
144
  - secure_headers.gemspec
144
- - spec/controllers/content_security_policy_controller_spec.rb
145
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
145
146
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
146
147
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
147
148
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
149
+ - spec/lib/secure_headers/headers/x_download_options_spec.rb
148
150
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
151
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
149
152
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
150
153
  - spec/lib/secure_headers_spec.rb
151
154
  - spec/spec_helper.rb
@@ -174,14 +177,16 @@ rubyforge_project:
174
177
  rubygems_version: 1.8.23
175
178
  signing_key:
176
179
  specification_version: 3
177
- summary: Add easily configured browser headers to responses including content security
178
- policy, x-frame-options, strict-transport-security and more.
180
+ summary: Add easily configured security headers to responses including content-security-policy,
181
+ x-frame-options, strict-transport-security, etc.
179
182
  test_files:
180
- - spec/controllers/content_security_policy_controller_spec.rb
183
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
181
184
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
182
185
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
183
186
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
187
+ - spec/lib/secure_headers/headers/x_download_options_spec.rb
184
188
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
189
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
185
190
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
186
191
  - spec/lib/secure_headers_spec.rb
187
192
  - spec/spec_helper.rb
data/Guardfile DELETED
@@ -1,6 +0,0 @@
1
- guard 'rspec' do
2
- watch(%r{^spec/.+_spec\.rb$})
3
- watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
4
- watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
5
- watch('spec/spec_helper.rb') { "spec" }
6
- end
data/HISTORY.md DELETED
@@ -1,155 +0,0 @@
1
- 1.3.3
2
- ======
3
-
4
- @agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
5
-
6
- This just adds a new 'preload' option to the HSTS settings to specify that option.
7
-
8
- 1.3.2
9
- ======
10
-
11
- Adds the ability to "tag" requests and a new config value: :app_name
12
-
13
- {
14
- :tag_report_uri => true,
15
- :enforce => true,
16
- :app_name => 'twitter',
17
- :report_uri => 'csp_reports'
18
- }
19
-
20
- Results in
21
- report-uri csp_reports?enforce=true&app_name=twitter
22
-
23
-
24
- 1.3.1
25
- ======
26
-
27
- Bugfix release: same-origin detection would error out when the URL containined invalid values (like |)
28
-
29
- 1.3.0
30
- ======
31
-
32
- - CSP nonce support was added back and is compliant.
33
- - Bugs:
34
- -- enforce, disable_fill_missing, and disable_chrome_extension did not accept lambdas for no good reason
35
- -- IF a default-src was specified, and an img-src was not, and disable_fill_missing was true, the img-src value would be :data
36
-
37
- 1.2.0
38
- ======
39
- - Allow procs to be used as config values.
40
-
41
- 1.1.1
42
- ======
43
-
44
- Bug fix release.
45
- - Parsing of CSP reports was busted.
46
- - Forwarded reports did not include the original referer, ip, UA
47
-
48
- 1.1.0
49
- ======
50
-
51
- - Remove brwsr dependency (no more runtime dependencies)
52
- - Stop serving X- prefixed CSP headers
53
-
54
- This change means that all requests get all headers, even if the browser doesn't grok it.
55
-
56
- 1.0.0
57
- ======
58
-
59
- Features:
60
-
61
- - Use non-prefixed header names for Firefox >= 23, Chrome >= 25
62
- - Use csp 1.0 compliant header for firefox >= 23
63
-
64
- Bug Fix:
65
-
66
- - Stop sending CSP on safari 5.1+
67
-
68
- 0.5.0
69
- ======
70
-
71
- - X-Content-Type-Options also applied to Chrome requests
72
-
73
- 0.4.3
74
- ======
75
-
76
- - Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
77
-
78
- 0.4.2
79
- ======
80
-
81
- - Stupid bug where Fixnums couldn't be used for config values
82
- - Doc updates
83
-
84
- 0.4.1
85
- ======
86
-
87
- - Allow strings or ints in the HSTS max-age (@reedloden)
88
-
89
- 0.4.0
90
- =======
91
-
92
- - Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
93
- - Should be backwards compatible, but it is a change to the API.
94
-
95
- 0.3.0
96
- =======
97
-
98
- - Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
99
-
100
- 0.2.3
101
- =======
102
-
103
- - Fix error in report-uri logic for Firefox forwarding.
104
-
105
- 0.2.2
106
- =======
107
-
108
- - Stop applying chrome-extension: to Firefox directives.
109
-
110
- 0.2.1
111
- =======
112
-
113
- - Firefox headers will now stop overriding report_uri when only a path is supplied
114
-
115
- 0.2.0
116
- =======
117
-
118
- - 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
119
- - Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
120
-
121
- ```ruby
122
- FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
123
- CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
124
- ```
125
- - :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
126
- - Skeleton applications have been added to test isolated application configurations
127
- - Cleanup by @bemurphy
128
-
129
- 0.1.1
130
- =======
131
-
132
- Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
133
-
134
- 0.1.0
135
- =======
136
-
137
- Notes:
138
- ------
139
-
140
- - Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
141
-
142
- Features:
143
- ------
144
-
145
- - ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
146
- - Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
147
-
148
- Bug fixes, misc:
149
- ------
150
-
151
- - Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
152
- - Better support for other frameworks, including docs from @achui, @bmaland
153
- - Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
154
- - data: automatically whitelisted for img-src
155
- - Doc updates from @ming13, @theverything, @dcollazo
@@ -1,75 +0,0 @@
1
- require 'net/https'
2
- require 'openssl'
3
-
4
- class ContentSecurityPolicyController < ActionController::Base
5
- CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
6
-
7
- def scribe
8
- csp = ::SecureHeaders::Configuration.csp || {}
9
-
10
- forward_endpoint = csp[:forward_endpoint]
11
- if forward_endpoint
12
- forward_params_to(forward_endpoint)
13
- end
14
-
15
- head :ok
16
- rescue StandardError => e
17
- log_warning(forward_endpoint, e)
18
- head :bad_request
19
- end
20
-
21
- private
22
-
23
- def forward_params_to(forward_endpoint)
24
- uri = URI.parse(forward_endpoint)
25
- http = Net::HTTP.new(uri.host, uri.port)
26
- if uri.scheme == 'https'
27
- use_ssl(http)
28
- end
29
-
30
- if request.content_type == "application/csp-report"
31
- request.body.rewind
32
- params.merge!(ActiveSupport::JSON.decode(request.body.read))
33
- end
34
-
35
- ua = request.user_agent
36
- xff = forwarded_for
37
-
38
- request = Net::HTTP::Post.new(uri.to_s)
39
- request.initialize_http_header({
40
- 'User-Agent' => ua,
41
- 'X-Forwarded-For' => xff,
42
- 'Content-Type' => 'application/json',
43
- })
44
- request.body = params.to_json
45
-
46
- # fire and forget
47
- if defined?(Delayed::Job)
48
- http.delay.request(request)
49
- else
50
- http.request(request)
51
- end
52
- end
53
-
54
- def forwarded_for
55
- req_xff = request.env["HTTP_X_FORWARDED_FOR"]
56
- if req_xff && req_xff != ""
57
- "#{req_xff}, #{request.remote_ip}"
58
- else
59
- request.remote_ip
60
- end
61
- end
62
-
63
- def use_ssl request
64
- request.use_ssl = true
65
- request.ca_file = CA_FILE
66
- request.verify_mode = OpenSSL::SSL::VERIFY_PEER
67
- request.verify_depth = 9
68
- end
69
-
70
- def log_warning(forward_endpoint, e)
71
- if defined?(Rails.logger)
72
- Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
73
- end
74
- end
75
- end