secure_headers 1.4.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (66) hide show
  1. data/.gitignore +4 -8
  2. data/.travis.yml +7 -1
  3. data/Gemfile +4 -4
  4. data/README.md +115 -79
  5. data/Rakefile +11 -116
  6. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -1
  7. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  8. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +2 -1
  9. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  10. data/fixtures/rails_3_2_12/config.ru +3 -0
  11. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +55 -18
  12. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +6 -1
  13. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  14. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +5 -0
  15. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +5 -0
  16. data/fixtures/rails_4_1_8/Gemfile +5 -0
  17. data/fixtures/rails_4_1_8/README.rdoc +28 -0
  18. data/fixtures/rails_4_1_8/Rakefile +6 -0
  19. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
  20. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  21. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
  22. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
  23. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  24. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  25. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
  26. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
  27. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
  28. data/fixtures/rails_4_1_8/config/application.rb +15 -0
  29. data/fixtures/rails_4_1_8/config/boot.rb +4 -0
  30. data/fixtures/rails_4_1_8/config/environment.rb +5 -0
  31. data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
  32. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
  33. data/fixtures/rails_4_1_8/config/routes.rb +4 -0
  34. data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
  35. data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
  36. data/fixtures/rails_4_1_8/config.ru +4 -0
  37. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  38. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  39. data/fixtures/rails_4_1_8/log/.keep +0 -0
  40. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
  41. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
  42. data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
  43. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  44. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  45. data/lib/secure_headers/hash_helper.rb +7 -0
  46. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  47. data/lib/secure_headers/headers/content_security_policy.rb +141 -137
  48. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
  49. data/lib/secure_headers/railtie.rb +13 -22
  50. data/lib/secure_headers/version.rb +1 -1
  51. data/lib/secure_headers/view_helper.rb +68 -0
  52. data/lib/secure_headers.rb +59 -17
  53. data/lib/tasks/tasks.rake +48 -0
  54. data/secure_headers.gemspec +4 -4
  55. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  56. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
  57. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +1 -1
  58. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
  59. data/spec/lib/secure_headers_spec.rb +36 -61
  60. data/spec/spec_helper.rb +26 -1
  61. metadata +44 -11
  62. data/HISTORY.md +0 -162
  63. data/app/controllers/content_security_policy_controller.rb +0 -76
  64. data/config/curl-ca-bundle.crt +0 -5420
  65. data/config/routes.rb +0 -3
  66. data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
@@ -16,7 +16,7 @@ describe ThingsController, :type => :controller do
16
16
  expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
17
17
  end
18
18
 
19
- it "sets the X-WebKit-CSP header" do
19
+ it "does not set CSP header" do
20
20
  get :index
21
21
  expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
22
22
  end
@@ -38,6 +38,11 @@ describe ThingsController, :type => :controller do
38
38
  expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
39
39
  end
40
40
 
41
+ it "sets the X-Permitted-Cross-Domain-Policies" do
42
+ get :index
43
+ expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
44
+ end
45
+
41
46
  context "using IE" do
42
47
  it "sets the X-Content-Type-Options header" do
43
48
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
@@ -1,6 +1,5 @@
1
1
  class OtherThingsController < ApplicationController
2
- ensure_security_headers :csp => {:default_src => 'self', :disable_chrome_extension => true,
3
- :disable_fill_missing => true}
2
+ ensure_security_headers :csp => {:default_src => 'self', :disable_fill_missing => true}
4
3
  def index
5
4
 
6
5
  end
@@ -34,6 +34,11 @@ describe OtherThingsController, :type => :controller do
34
34
  expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
35
35
  end
36
36
 
37
+ it "sets the X-Permitted-Cross-Domain-Policies" do
38
+ get :index
39
+ expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
40
+ end
41
+
37
42
  context "using IE" do
38
43
  it "sets the X-Content-Type-Options header" do
39
44
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
@@ -38,6 +38,11 @@ describe ThingsController, :type => :controller do
38
38
  expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
39
39
  end
40
40
 
41
+ it "sets the X-Permitted-Cross-Domain-Policies" do
42
+ get :index
43
+ expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
44
+ end
45
+
41
46
  context "using IE" do
42
47
  it "sets the X-Content-Type-Options header" do
43
48
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
@@ -0,0 +1,5 @@
1
+ source 'https://rubygems.org'
2
+
3
+ gem 'rails', '4.1.8'
4
+ gem 'rspec-rails', '>= 2.0.0'
5
+ gem 'secure_headers', :path => '../..'
@@ -0,0 +1,28 @@
1
+ == README
2
+
3
+ This README would normally document whatever steps are necessary to get the
4
+ application up and running.
5
+
6
+ Things you may want to cover:
7
+
8
+ * Ruby version
9
+
10
+ * System dependencies
11
+
12
+ * Configuration
13
+
14
+ * Database creation
15
+
16
+ * Database initialization
17
+
18
+ * How to run the test suite
19
+
20
+ * Services (job queues, cache servers, search engines, etc.)
21
+
22
+ * Deployment instructions
23
+
24
+ * ...
25
+
26
+
27
+ Please feel free to use a different markup language if you do not plan to run
28
+ <tt>rake doc:app</tt>.
@@ -0,0 +1,6 @@
1
+ # Add your own tasks in files placed in lib/tasks ending in .rake,
2
+ # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
3
+
4
+ require File.expand_path('../config/application', __FILE__)
5
+
6
+ Rails.application.load_tasks
@@ -0,0 +1,4 @@
1
+ class ApplicationController < ActionController::Base
2
+ protect_from_forgery
3
+ ensure_security_headers
4
+ end
@@ -0,0 +1,5 @@
1
+ class OtherThingsController < ApplicationController
2
+ def index
3
+
4
+ end
5
+ end
@@ -0,0 +1,5 @@
1
+ class ThingsController < ApplicationController
2
+ ensure_security_headers :csp => false
3
+ def index
4
+ end
5
+ end
File without changes
File without changes
@@ -0,0 +1,11 @@
1
+ <!DOCTYPE html>
2
+ <html>
3
+ <head>
4
+ <title>Rails418</title>
5
+ </head>
6
+ <body>
7
+
8
+ <%= yield %>
9
+ <script>console.log("oh hell yes")</script>
10
+ </body>
11
+ </html>
@@ -0,0 +1,2 @@
1
+ index
2
+ <script>console.log("oh what")</script>
@@ -0,0 +1,15 @@
1
+ require File.expand_path('../boot', __FILE__)
2
+
3
+ require "action_controller/railtie"
4
+ require "sprockets/railtie"
5
+
6
+ # Require the gems listed in Gemfile, including any gems
7
+ # you've limited to :test, :development, or :production.
8
+ Bundler.require(*Rails.groups)
9
+
10
+
11
+ module Rails418
12
+ class Application < Rails::Application
13
+
14
+ end
15
+ end
@@ -0,0 +1,4 @@
1
+ # Set up gems listed in the Gemfile.
2
+ ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
3
+
4
+ require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
@@ -0,0 +1,5 @@
1
+ # Load the Rails application.
2
+ require File.expand_path('../application', __FILE__)
3
+
4
+ # Initialize the Rails application.
5
+ Rails.application.initialize!
@@ -0,0 +1,10 @@
1
+ Rails418::Application.configure do
2
+ config.cache_classes = true
3
+ config.eager_load = false
4
+ config.serve_static_assets = true
5
+ config.static_cache_control = 'public, max-age=3600'
6
+ config.consider_all_requests_local = true
7
+ config.action_controller.perform_caching = false
8
+ config.action_dispatch.show_exceptions = false
9
+ config.action_controller.allow_forgery_protection = false
10
+ end
@@ -0,0 +1,17 @@
1
+ ::SecureHeaders::Configuration.configure do |config|
2
+ config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
3
+ config.x_frame_options = 'DENY'
4
+ config.x_content_type_options = "nosniff"
5
+ config.x_xss_protection = {:value => 0}
6
+ config.x_permitted_cross_domain_policies = 'none'
7
+ csp = {
8
+ :default_src => "self",
9
+ :script_src => "self nonce",
10
+ :disable_fill_missing => true,
11
+ :report_uri => 'somewhere',
12
+ :script_hash_middleware => true,
13
+ :enforce => false # false means warnings only
14
+ }
15
+
16
+ config.csp = csp
17
+ end
@@ -0,0 +1,4 @@
1
+ Rails.application.routes.draw do
2
+ resources :things
3
+ match ':controller(/:action(/:id))(.:format)', :via => [:get, :post]
4
+ end
@@ -0,0 +1,5 @@
1
+ ---
2
+ app/views/layouts/application.html.erb:
3
+ - sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=
4
+ app/views/other_things/index.html.erb:
5
+ - sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=
@@ -0,0 +1,22 @@
1
+ # Be sure to restart your server when you modify this file.
2
+
3
+ # Your secret key is used for verifying the integrity of signed cookies.
4
+ # If you change this key, all old signed cookies will become invalid!
5
+
6
+ # Make sure the secret is at least 30 characters and all random,
7
+ # no regular words or you'll be exposed to dictionary attacks.
8
+ # You can use `rake secret` to generate a secure secret key.
9
+
10
+ # Make sure the secrets in this file are kept private
11
+ # if you're sharing your code publicly.
12
+
13
+ development:
14
+ secret_key_base: ddba38f932720d8f18257f2a05dc278963a29cf569c45aa97ff4e9fc9bbc78af5a03fcf135caad45caee66ac09f8f9913c1f5e338a61213f420eefa8dd6363d2
15
+
16
+ test:
17
+ secret_key_base: f73abd7eab84fa7af5a2fc0a9c2727c5bad47433e51aa0c9c6b0782dac176a8e7f337e1f93adc6d6fc17027e67a533040b6408e54d72dea2eec6e5b9820dbcb9
18
+
19
+ # Do not keep production secrets in the repository,
20
+ # instead read values from the environment.
21
+ production:
22
+ secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
@@ -0,0 +1,4 @@
1
+ # This file is used by Rack-based servers to start the application.
2
+
3
+ require ::File.expand_path('../config/environment', __FILE__)
4
+ run Rails.application
File without changes
File without changes
File without changes
@@ -0,0 +1,83 @@
1
+ require 'spec_helper'
2
+
3
+ require 'secure_headers/headers/content_security_policy/script_hash_middleware'
4
+
5
+ describe OtherThingsController, :type => :controller do
6
+ include Rack::Test::Methods
7
+
8
+ def app
9
+ OtherThingsController.action(:index)
10
+ end
11
+
12
+ def request(opts = {})
13
+ options = opts.merge(
14
+ {
15
+ 'HTTPS' => 'on',
16
+ 'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
17
+ }
18
+ )
19
+
20
+
21
+ Rack::MockRequest.env_for('/', options)
22
+ end
23
+
24
+
25
+ describe "headers" do
26
+ before(:each) do
27
+ _, @env = app.call(request)
28
+ end
29
+
30
+ it "sets the X-XSS-Protection header" do
31
+ get '/'
32
+ expect(@env['X-XSS-Protection']).to eq('0')
33
+ end
34
+
35
+ it "sets the X-Frame-Options header" do
36
+ get '/'
37
+ expect(@env['X-Frame-Options']).to eq('DENY')
38
+ end
39
+
40
+ it "sets the CSP header with a local reference to a nonce" do
41
+ middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
42
+ _, env = middleware.call(request(@env))
43
+ expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
44
+ end
45
+
46
+ it "sets the required hashes to whitelist inline script" do
47
+ middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
48
+ _, env = middleware.call(request(@env))
49
+ hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
50
+ hashes.each do |hash|
51
+ expect(env['Content-Security-Policy-Report-Only']).to include(hash)
52
+ end
53
+ end
54
+
55
+ it "sets the Strict-Transport-Security header" do
56
+ get '/'
57
+ expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
58
+ end
59
+
60
+ it "sets the X-Download-Options header" do
61
+ get '/'
62
+ expect(@env['X-Download-Options']).to eq('noopen')
63
+ end
64
+
65
+ it "sets the X-Content-Type-Options header" do
66
+ get '/'
67
+ expect(@env['X-Content-Type-Options']).to eq("nosniff")
68
+ end
69
+
70
+ it "sets the X-Permitted-Cross-Domain-Policies" do
71
+ get '/'
72
+ expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
73
+ end
74
+
75
+ context "using IE" do
76
+ it "sets the X-Content-Type-Options header" do
77
+ @env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
78
+ get '/'
79
+ expect(@env['X-Content-Type-Options']).to eq("nosniff")
80
+ end
81
+ end
82
+ end
83
+ end
@@ -0,0 +1,59 @@
1
+ # config.action_dispatch.default_headers defaults to:
2
+ # {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff"}
3
+ # so we want to set our specs to expect something else to ensure secureheaders is taking precedence
4
+
5
+ require 'spec_helper'
6
+
7
+ # This controller is meant to be something that inherits config from application controller
8
+ # all values are defaulted because no initializer is configured, and the values in app controller
9
+ # only provide csp => false
10
+
11
+ describe ThingsController, :type => :controller do
12
+
13
+ describe "headers" do
14
+ it "sets the X-XSS-Protection header" do
15
+ get :index
16
+ expect(response.headers['X-XSS-Protection']).to eq('0')
17
+ end
18
+
19
+ it "sets the X-Frame-Options header" do
20
+ get :index
21
+ expect(response.headers['X-Frame-Options']).to eq('DENY')
22
+ end
23
+
24
+ it "does not set CSP header" do
25
+ get :index
26
+ expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
27
+ end
28
+
29
+ #mock ssl
30
+ it "sets the Strict-Transport-Security header" do
31
+ request.env['HTTPS'] = 'on'
32
+ get :index
33
+ expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
34
+ end
35
+
36
+ it "sets the X-Download-Options header" do
37
+ get :index
38
+ expect(response.headers['X-Download-Options']).to eq('noopen')
39
+ end
40
+
41
+ it "sets the X-Content-Type-Options header" do
42
+ get :index
43
+ expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
44
+ end
45
+
46
+ it "sets the X-Permitted-Cross-Domain-Policies" do
47
+ get :index
48
+ expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
49
+ end
50
+
51
+ context "using IE" do
52
+ it "sets the X-Content-Type-Options header" do
53
+ request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
54
+ get :index
55
+ expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
56
+ end
57
+ end
58
+ end
59
+ end
@@ -0,0 +1,15 @@
1
+ require 'rubygems'
2
+
3
+ #uncomment the following line to use spork with the debugger
4
+ #require 'spork/ext/ruby-debug'
5
+
6
+ # Spork.prefork do
7
+ # Loading more in this block will cause your tests to run faster. However,
8
+ # if you change any configuration or code from libraries loaded here, you'll
9
+ # need to restart spork for it take effect.
10
+ # This file is copied to spec/ when you run 'rails generate rspec:install'
11
+ ENV["RAILS_ENV"] ||= 'test'
12
+ require File.expand_path("../../config/environment", __FILE__)
13
+ require 'rspec/rails'
14
+ # end
15
+
@@ -0,0 +1,7 @@
1
+ module SecureHeaders
2
+ module HashHelper
3
+ def hash_source(inline_script, digest = :SHA256)
4
+ [digest.to_s.downcase, "-", [[Digest.const_get(digest).hexdigest(inline_script)].pack("H*")].pack("m").chomp].join
5
+ end
6
+ end
7
+ end
@@ -0,0 +1,22 @@
1
+ module SecureHeaders
2
+ class ContentSecurityPolicy
3
+ class ScriptHashMiddleware
4
+ def initialize(app)
5
+ @app = app
6
+ end
7
+
8
+ def call(env)
9
+ status, headers, response = @app.call(env)
10
+ metadata = env[ContentSecurityPolicy::ENV_KEY]
11
+ if !metadata.nil?
12
+ config, options = metadata.values_at(:config, :options)
13
+ config.merge!(:script_hashes => env[HASHES_ENV_KEY])
14
+ csp_header = ContentSecurityPolicy.new(config, options)
15
+ headers[csp_header.name] = csp_header.value
16
+ end
17
+
18
+ [status, headers, response]
19
+ end
20
+ end
21
+ end
22
+ end