secure_headers 2.0.1 → 2.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
data/README.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# SecureHeaders [](http://travis-ci.org/twitter/secureheaders) [](https://codeclimate.com/github/twitter/secureheaders) [](https://coveralls.io/r/twitter/secureheaders)
|
|
2
2
|
|
|
3
3
|
The gem will automatically apply several headers that are related to security. This includes:
|
|
4
|
-
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP
|
|
4
|
+
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
|
|
5
5
|
- HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. [HSTS Specification](https://tools.ietf.org/html/rfc6797)
|
|
6
6
|
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
|
|
7
7
|
- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
|
|
@@ -31,7 +31,13 @@ module SecureHeaders
|
|
|
31
31
|
:reflected_xss
|
|
32
32
|
]
|
|
33
33
|
|
|
34
|
-
|
|
34
|
+
OTHER = [
|
|
35
|
+
:report_uri
|
|
36
|
+
]
|
|
37
|
+
|
|
38
|
+
SOURCE_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES
|
|
39
|
+
|
|
40
|
+
ALL_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES + OTHER
|
|
35
41
|
end
|
|
36
42
|
include Constants
|
|
37
43
|
|
|
@@ -102,7 +108,7 @@ module SecureHeaders
|
|
|
102
108
|
@config = config.inject({}) do |hash, (key, value)|
|
|
103
109
|
config_val = value.respond_to?(:call) ? value.call : value
|
|
104
110
|
|
|
105
|
-
if
|
|
111
|
+
if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
|
|
106
112
|
config_val = config_val.split if config_val.is_a? String
|
|
107
113
|
if config_val.is_a?(Array)
|
|
108
114
|
config_val = config_val.map do |val|
|
|
@@ -18,16 +18,10 @@ describe SecureHeaders do
|
|
|
18
18
|
allow(subject).to receive(:request).and_return(request)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection, :x_permitted_cross_domain_policies].map{|header| [header, false]}]
|
|
22
|
-
|
|
23
21
|
def stub_user_agent val
|
|
24
22
|
allow(request).to receive_message_chain(:env, :[]).and_return(val)
|
|
25
23
|
end
|
|
26
24
|
|
|
27
|
-
def options_for header
|
|
28
|
-
ALL_HEADERS.reject{|k,v| k == header}
|
|
29
|
-
end
|
|
30
|
-
|
|
31
25
|
def reset_config
|
|
32
26
|
::SecureHeaders::Configuration.configure do |config|
|
|
33
27
|
config.hsts = nil
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.
|
|
4
|
+
version: 2.0.2
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2015-
|
|
12
|
+
date: 2015-05-05 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rake
|