secure_headers 2.2.4 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (127) hide show
  1. checksums.yaml +4 -4
  2. data/.rspec +1 -0
  3. data/.ruby-version +1 -1
  4. data/.travis.yml +3 -0
  5. data/CHANGELOG.md +205 -0
  6. data/Gemfile +9 -10
  7. data/Guardfile +12 -0
  8. data/README.md +172 -274
  9. data/Rakefile +2 -36
  10. data/lib/secure_headers/configuration.rb +189 -0
  11. data/lib/secure_headers/headers/content_security_policy.rb +362 -211
  12. data/lib/secure_headers/headers/public_key_pins.rb +43 -57
  13. data/lib/secure_headers/headers/strict_transport_security.rb +21 -47
  14. data/lib/secure_headers/headers/x_content_type_options.rb +19 -32
  15. data/lib/secure_headers/headers/x_download_options.rb +18 -31
  16. data/lib/secure_headers/headers/x_frame_options.rb +24 -32
  17. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +19 -32
  18. data/lib/secure_headers/headers/x_xss_protection.rb +17 -46
  19. data/lib/secure_headers/middleware.rb +15 -0
  20. data/lib/secure_headers/padrino.rb +1 -2
  21. data/lib/secure_headers/railtie.rb +9 -6
  22. data/lib/secure_headers/view_helper.rb +27 -44
  23. data/lib/secure_headers.rb +245 -150
  24. data/secure_headers.gemspec +7 -11
  25. data/spec/lib/secure_headers/configuration_spec.rb +80 -0
  26. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +175 -262
  27. data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +17 -17
  28. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +11 -43
  29. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +13 -18
  30. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +13 -17
  31. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +15 -17
  32. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +22 -39
  33. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +22 -30
  34. data/spec/lib/secure_headers/middleware_spec.rb +40 -0
  35. data/spec/lib/secure_headers_spec.rb +204 -278
  36. data/spec/spec_helper.rb +32 -28
  37. data/upgrading-to-3-0.md +37 -0
  38. metadata +14 -94
  39. data/fixtures/rails_3_2_12/.rspec +0 -1
  40. data/fixtures/rails_3_2_12/Gemfile +0 -6
  41. data/fixtures/rails_3_2_12/README.rdoc +0 -261
  42. data/fixtures/rails_3_2_12/Rakefile +0 -7
  43. data/fixtures/rails_3_2_12/app/controllers/application_controller.rb +0 -4
  44. data/fixtures/rails_3_2_12/app/controllers/other_things_controller.rb +0 -5
  45. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -5
  46. data/fixtures/rails_3_2_12/app/models/.gitkeep +0 -0
  47. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +0 -11
  48. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +0 -2
  49. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +0 -1
  50. data/fixtures/rails_3_2_12/config/application.rb +0 -14
  51. data/fixtures/rails_3_2_12/config/boot.rb +0 -6
  52. data/fixtures/rails_3_2_12/config/environment.rb +0 -5
  53. data/fixtures/rails_3_2_12/config/environments/test.rb +0 -37
  54. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +0 -17
  55. data/fixtures/rails_3_2_12/config/routes.rb +0 -4
  56. data/fixtures/rails_3_2_12/config/script_hashes.yml +0 -5
  57. data/fixtures/rails_3_2_12/config.ru +0 -7
  58. data/fixtures/rails_3_2_12/lib/assets/.gitkeep +0 -0
  59. data/fixtures/rails_3_2_12/lib/tasks/.gitkeep +0 -0
  60. data/fixtures/rails_3_2_12/log/.gitkeep +0 -0
  61. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +0 -83
  62. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +0 -54
  63. data/fixtures/rails_3_2_12/spec/spec_helper.rb +0 -15
  64. data/fixtures/rails_3_2_12/vendor/assets/javascripts/.gitkeep +0 -0
  65. data/fixtures/rails_3_2_12/vendor/assets/stylesheets/.gitkeep +0 -0
  66. data/fixtures/rails_3_2_12/vendor/plugins/.gitkeep +0 -0
  67. data/fixtures/rails_3_2_12_no_init/.rspec +0 -1
  68. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -5
  69. data/fixtures/rails_3_2_12_no_init/README.rdoc +0 -261
  70. data/fixtures/rails_3_2_12_no_init/Rakefile +0 -7
  71. data/fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb +0 -4
  72. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +0 -20
  73. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +0 -5
  74. data/fixtures/rails_3_2_12_no_init/app/models/.gitkeep +0 -0
  75. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -12
  76. data/fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb +0 -1
  77. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -0
  78. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -17
  79. data/fixtures/rails_3_2_12_no_init/config/boot.rb +0 -6
  80. data/fixtures/rails_3_2_12_no_init/config/environment.rb +0 -5
  81. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +0 -37
  82. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -4
  83. data/fixtures/rails_3_2_12_no_init/config.ru +0 -4
  84. data/fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep +0 -0
  85. data/fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep +0 -0
  86. data/fixtures/rails_3_2_12_no_init/log/.gitkeep +0 -0
  87. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +0 -56
  88. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +0 -54
  89. data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +0 -5
  90. data/fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep +0 -0
  91. data/fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep +0 -0
  92. data/fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep +0 -0
  93. data/fixtures/rails_4_1_8/Gemfile +0 -5
  94. data/fixtures/rails_4_1_8/README.rdoc +0 -28
  95. data/fixtures/rails_4_1_8/Rakefile +0 -6
  96. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +0 -4
  97. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  98. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +0 -5
  99. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +0 -5
  100. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  101. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  102. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +0 -11
  103. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +0 -2
  104. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +0 -1
  105. data/fixtures/rails_4_1_8/config/application.rb +0 -15
  106. data/fixtures/rails_4_1_8/config/boot.rb +0 -4
  107. data/fixtures/rails_4_1_8/config/environment.rb +0 -5
  108. data/fixtures/rails_4_1_8/config/environments/test.rb +0 -10
  109. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +0 -17
  110. data/fixtures/rails_4_1_8/config/routes.rb +0 -4
  111. data/fixtures/rails_4_1_8/config/script_hashes.yml +0 -5
  112. data/fixtures/rails_4_1_8/config/secrets.yml +0 -22
  113. data/fixtures/rails_4_1_8/config.ru +0 -4
  114. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  115. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  116. data/fixtures/rails_4_1_8/log/.keep +0 -0
  117. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +0 -83
  118. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +0 -59
  119. data/fixtures/rails_4_1_8/spec/spec_helper.rb +0 -15
  120. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  121. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  122. data/lib/secure_headers/hash_helper.rb +0 -7
  123. data/lib/secure_headers/header.rb +0 -5
  124. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +0 -22
  125. data/lib/secure_headers/version.rb +0 -3
  126. data/lib/tasks/tasks.rake +0 -48
  127. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +0 -47
@@ -1,54 +0,0 @@
1
- require 'spec_helper'
2
-
3
- # This controller is meant to be something that inherits config from application controller
4
- # all values are defaulted because no initializer is configured, and the values in app controller
5
- # only provide csp => false
6
-
7
- describe ThingsController, :type => :controller do
8
- describe "headers" do
9
- it "sets the X-XSS-Protection header" do
10
- get :index
11
- expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
12
- end
13
-
14
- it "sets the X-Frame-Options header" do
15
- get :index
16
- expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
17
- end
18
-
19
- it "sets the X-WebKit-CSP header" do
20
- get :index
21
- expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
22
- end
23
-
24
- #mock ssl
25
- it "sets the Strict-Transport-Security header" do
26
- request.env['HTTPS'] = 'on'
27
- get :index
28
- expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
29
- end
30
-
31
- it "sets the X-Download-Options header" do
32
- get :index
33
- expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
34
- end
35
-
36
- it "sets the X-Content-Type-Options header" do
37
- get :index
38
- expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
39
- end
40
-
41
- it "sets the X-Permitted-Cross-Domain-Policies" do
42
- get :index
43
- expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
44
- end
45
-
46
- context "using IE" do
47
- it "sets the X-Content-Type-Options header" do
48
- request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
49
- get :index
50
- expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
51
- end
52
- end
53
- end
54
- end
@@ -1,5 +0,0 @@
1
- require 'rubygems'
2
-
3
- ENV["RAILS_ENV"] ||= 'test'
4
- require File.expand_path("../../config/environment", __FILE__)
5
- require 'rspec/rails'
@@ -1,5 +0,0 @@
1
- source 'https://rubygems.org'
2
-
3
- gem 'rails', '4.1.8'
4
- gem 'rspec-rails', '>= 2.0.0'
5
- gem 'secure_headers', :path => '../..'
@@ -1,28 +0,0 @@
1
- == README
2
-
3
- This README would normally document whatever steps are necessary to get the
4
- application up and running.
5
-
6
- Things you may want to cover:
7
-
8
- * Ruby version
9
-
10
- * System dependencies
11
-
12
- * Configuration
13
-
14
- * Database creation
15
-
16
- * Database initialization
17
-
18
- * How to run the test suite
19
-
20
- * Services (job queues, cache servers, search engines, etc.)
21
-
22
- * Deployment instructions
23
-
24
- * ...
25
-
26
-
27
- Please feel free to use a different markup language if you do not plan to run
28
- <tt>rake doc:app</tt>.
@@ -1,6 +0,0 @@
1
- # Add your own tasks in files placed in lib/tasks ending in .rake,
2
- # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
3
-
4
- require File.expand_path('../config/application', __FILE__)
5
-
6
- Rails.application.load_tasks
@@ -1,4 +0,0 @@
1
- class ApplicationController < ActionController::Base
2
- protect_from_forgery
3
- ensure_security_headers
4
- end
File without changes
@@ -1,5 +0,0 @@
1
- class OtherThingsController < ApplicationController
2
- def index
3
-
4
- end
5
- end
@@ -1,5 +0,0 @@
1
- class ThingsController < ApplicationController
2
- ensure_security_headers :csp => false
3
- def index
4
- end
5
- end
File without changes
File without changes
@@ -1,11 +0,0 @@
1
- <!DOCTYPE html>
2
- <html>
3
- <head>
4
- <title>Rails418</title>
5
- </head>
6
- <body>
7
-
8
- <%= yield %>
9
- <script>console.log("oh hell yes")</script>
10
- </body>
11
- </html>
@@ -1,2 +0,0 @@
1
- index
2
- <script>console.log("oh what")</script>
@@ -1,15 +0,0 @@
1
- require File.expand_path('../boot', __FILE__)
2
-
3
- require "action_controller/railtie"
4
- require "sprockets/railtie"
5
-
6
- # Require the gems listed in Gemfile, including any gems
7
- # you've limited to :test, :development, or :production.
8
- Bundler.require(*Rails.groups)
9
-
10
-
11
- module Rails418
12
- class Application < Rails::Application
13
-
14
- end
15
- end
@@ -1,4 +0,0 @@
1
- # Set up gems listed in the Gemfile.
2
- ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
3
-
4
- require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
@@ -1,5 +0,0 @@
1
- # Load the Rails application.
2
- require File.expand_path('../application', __FILE__)
3
-
4
- # Initialize the Rails application.
5
- Rails.application.initialize!
@@ -1,10 +0,0 @@
1
- Rails418::Application.configure do
2
- config.cache_classes = true
3
- config.eager_load = false
4
- config.serve_static_assets = true
5
- config.static_cache_control = 'public, max-age=3600'
6
- config.consider_all_requests_local = true
7
- config.action_controller.perform_caching = false
8
- config.action_dispatch.show_exceptions = false
9
- config.action_controller.allow_forgery_protection = false
10
- end
@@ -1,17 +0,0 @@
1
- ::SecureHeaders::Configuration.configure do |config|
2
- config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
3
- config.x_frame_options = 'DENY'
4
- config.x_content_type_options = "nosniff"
5
- config.x_xss_protection = {:value => 0}
6
- config.x_permitted_cross_domain_policies = 'none'
7
- csp = {
8
- :default_src => "self",
9
- :script_src => "self nonce",
10
- :disable_fill_missing => true,
11
- :report_uri => 'somewhere',
12
- :script_hash_middleware => true,
13
- :enforce => false # false means warnings only
14
- }
15
-
16
- config.csp = csp
17
- end
@@ -1,4 +0,0 @@
1
- Rails.application.routes.draw do
2
- resources :things
3
- match ':controller(/:action(/:id))(.:format)', :via => [:get, :post]
4
- end
@@ -1,5 +0,0 @@
1
- ---
2
- app/views/layouts/application.html.erb:
3
- - sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=
4
- app/views/other_things/index.html.erb:
5
- - sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=
@@ -1,22 +0,0 @@
1
- # Be sure to restart your server when you modify this file.
2
-
3
- # Your secret key is used for verifying the integrity of signed cookies.
4
- # If you change this key, all old signed cookies will become invalid!
5
-
6
- # Make sure the secret is at least 30 characters and all random,
7
- # no regular words or you'll be exposed to dictionary attacks.
8
- # You can use `rake secret` to generate a secure secret key.
9
-
10
- # Make sure the secrets in this file are kept private
11
- # if you're sharing your code publicly.
12
-
13
- development:
14
- secret_key_base: ddba38f932720d8f18257f2a05dc278963a29cf569c45aa97ff4e9fc9bbc78af5a03fcf135caad45caee66ac09f8f9913c1f5e338a61213f420eefa8dd6363d2
15
-
16
- test:
17
- secret_key_base: f73abd7eab84fa7af5a2fc0a9c2727c5bad47433e51aa0c9c6b0782dac176a8e7f337e1f93adc6d6fc17027e67a533040b6408e54d72dea2eec6e5b9820dbcb9
18
-
19
- # Do not keep production secrets in the repository,
20
- # instead read values from the environment.
21
- production:
22
- secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
@@ -1,4 +0,0 @@
1
- # This file is used by Rack-based servers to start the application.
2
-
3
- require ::File.expand_path('../config/environment', __FILE__)
4
- run Rails.application
File without changes
File without changes
File without changes
@@ -1,83 +0,0 @@
1
- require 'spec_helper'
2
-
3
- require 'secure_headers/headers/content_security_policy/script_hash_middleware'
4
-
5
- describe OtherThingsController, :type => :controller do
6
- include Rack::Test::Methods
7
-
8
- def app
9
- OtherThingsController.action(:index)
10
- end
11
-
12
- def request(opts = {})
13
- options = opts.merge(
14
- {
15
- 'HTTPS' => 'on',
16
- 'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
17
- }
18
- )
19
-
20
-
21
- Rack::MockRequest.env_for('/', options)
22
- end
23
-
24
-
25
- describe "headers" do
26
- before(:each) do
27
- _, @env = app.call(request)
28
- end
29
-
30
- it "sets the X-XSS-Protection header" do
31
- get '/'
32
- expect(@env['X-XSS-Protection']).to eq('0')
33
- end
34
-
35
- it "sets the X-Frame-Options header" do
36
- get '/'
37
- expect(@env['X-Frame-Options']).to eq('DENY')
38
- end
39
-
40
- it "sets the CSP header with a local reference to a nonce" do
41
- middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
42
- _, env = middleware.call(request(@env))
43
- expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
44
- end
45
-
46
- it "sets the required hashes to whitelist inline script" do
47
- middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
48
- _, env = middleware.call(request(@env))
49
- hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
50
- hashes.each do |hash|
51
- expect(env['Content-Security-Policy-Report-Only']).to include(hash)
52
- end
53
- end
54
-
55
- it "sets the Strict-Transport-Security header" do
56
- get '/'
57
- expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
58
- end
59
-
60
- it "sets the X-Download-Options header" do
61
- get '/'
62
- expect(@env['X-Download-Options']).to eq('noopen')
63
- end
64
-
65
- it "sets the X-Content-Type-Options header" do
66
- get '/'
67
- expect(@env['X-Content-Type-Options']).to eq("nosniff")
68
- end
69
-
70
- it "sets the X-Permitted-Cross-Domain-Policies" do
71
- get '/'
72
- expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
73
- end
74
-
75
- context "using IE" do
76
- it "sets the X-Content-Type-Options header" do
77
- @env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
78
- get '/'
79
- expect(@env['X-Content-Type-Options']).to eq("nosniff")
80
- end
81
- end
82
- end
83
- end
@@ -1,59 +0,0 @@
1
- # config.action_dispatch.default_headers defaults to:
2
- # {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff"}
3
- # so we want to set our specs to expect something else to ensure secureheaders is taking precedence
4
-
5
- require 'spec_helper'
6
-
7
- # This controller is meant to be something that inherits config from application controller
8
- # all values are defaulted because no initializer is configured, and the values in app controller
9
- # only provide csp => false
10
-
11
- describe ThingsController, :type => :controller do
12
-
13
- describe "headers" do
14
- it "sets the X-XSS-Protection header" do
15
- get :index
16
- expect(response.headers['X-XSS-Protection']).to eq('0')
17
- end
18
-
19
- it "sets the X-Frame-Options header" do
20
- get :index
21
- expect(response.headers['X-Frame-Options']).to eq('DENY')
22
- end
23
-
24
- it "does not set CSP header" do
25
- get :index
26
- expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
27
- end
28
-
29
- #mock ssl
30
- it "sets the Strict-Transport-Security header" do
31
- request.env['HTTPS'] = 'on'
32
- get :index
33
- expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
34
- end
35
-
36
- it "sets the X-Download-Options header" do
37
- get :index
38
- expect(response.headers['X-Download-Options']).to eq('noopen')
39
- end
40
-
41
- it "sets the X-Content-Type-Options header" do
42
- get :index
43
- expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
44
- end
45
-
46
- it "sets the X-Permitted-Cross-Domain-Policies" do
47
- get :index
48
- expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
49
- end
50
-
51
- context "using IE" do
52
- it "sets the X-Content-Type-Options header" do
53
- request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
54
- get :index
55
- expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
56
- end
57
- end
58
- end
59
- end
@@ -1,15 +0,0 @@
1
- require 'rubygems'
2
-
3
- #uncomment the following line to use spork with the debugger
4
- #require 'spork/ext/ruby-debug'
5
-
6
- # Spork.prefork do
7
- # Loading more in this block will cause your tests to run faster. However,
8
- # if you change any configuration or code from libraries loaded here, you'll
9
- # need to restart spork for it take effect.
10
- # This file is copied to spec/ when you run 'rails generate rspec:install'
11
- ENV["RAILS_ENV"] ||= 'test'
12
- require File.expand_path("../../config/environment", __FILE__)
13
- require 'rspec/rails'
14
- # end
15
-
File without changes
File without changes
@@ -1,7 +0,0 @@
1
- module SecureHeaders
2
- module HashHelper
3
- def hash_source(inline_script, digest = :SHA256)
4
- [digest.to_s.downcase, "-", [[Digest.const_get(digest).hexdigest(inline_script)].pack("H*")].pack("m").chomp].join
5
- end
6
- end
7
- end
@@ -1,5 +0,0 @@
1
- module SecureHeaders
2
- class Header
3
-
4
- end
5
- end
@@ -1,22 +0,0 @@
1
- module SecureHeaders
2
- class ContentSecurityPolicy
3
- class ScriptHashMiddleware
4
- def initialize(app)
5
- @app = app
6
- end
7
-
8
- def call(env)
9
- status, headers, response = @app.call(env)
10
- metadata = env[ContentSecurityPolicy::ENV_KEY]
11
- if !metadata.nil?
12
- config, options = metadata.values_at(:config, :options)
13
- config.merge!(:script_hashes => env[HASHES_ENV_KEY])
14
- csp_header = ContentSecurityPolicy.new(config, options)
15
- headers[csp_header.name] = csp_header.value
16
- end
17
-
18
- [status, headers, response]
19
- end
20
- end
21
- end
22
- end
@@ -1,3 +0,0 @@
1
- module SecureHeaders
2
- VERSION = "2.2.4"
3
- end
data/lib/tasks/tasks.rake DELETED
@@ -1,48 +0,0 @@
1
- INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx
2
- INLINE_HASH_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
3
- SCRIPT_HASH_CONFIG_FILE = 'config/script_hashes.yml'
4
-
5
- namespace :secure_headers do
6
- include SecureHeaders::HashHelper
7
-
8
- def is_erb?(filename)
9
- filename =~ /\.erb\Z/
10
- end
11
-
12
- def generate_inline_script_hashes(filename)
13
- file = File.read(filename)
14
- hashes = []
15
-
16
- [INLINE_SCRIPT_REGEX, INLINE_HASH_HELPER_REGEX].each do |regex|
17
- file.gsub(regex) do # TODO don't use gsub
18
- inline_script = Regexp.last_match.captures.last
19
- if (filename =~ /\.mustache\Z/ && inline_script =~ /\{\{.*\}\}/) || (is_erb?(filename) && inline_script =~ /<%.*%>/)
20
- puts "Looks like there's some dynamic content inside of a script tag :-/"
21
- puts "That pretty much means the hash value will never match."
22
- puts "Code: " + inline_script
23
- puts "=" * 20
24
- end
25
-
26
- hashes << hash_source(inline_script)
27
- end
28
- end
29
-
30
- hashes
31
- end
32
-
33
- task :generate_hashes do |t, args|
34
- script_hashes = {}
35
- Dir.glob("app/{views,templates}/**/*.{erb,mustache}") do |filename|
36
- hashes = generate_inline_script_hashes(filename)
37
- if hashes.any?
38
- script_hashes[filename] = hashes
39
- end
40
- end
41
-
42
- File.open(SCRIPT_HASH_CONFIG_FILE, 'w') do |file|
43
- file.write(script_hashes.to_yaml)
44
- end
45
-
46
- puts "Script hashes from " + script_hashes.keys.size.to_s + " files added to #{SCRIPT_HASH_CONFIG_FILE}"
47
- end
48
- end
@@ -1,47 +0,0 @@
1
- require 'spec_helper'
2
- require 'secure_headers/headers/content_security_policy/script_hash_middleware'
3
-
4
- module SecureHeaders
5
- describe ContentSecurityPolicy::ScriptHashMiddleware do
6
-
7
- let(:app) { double(:call => [200, headers, '']) }
8
- let(:env) { double }
9
- let(:headers) { double }
10
-
11
- let(:default_config) do
12
- {
13
- :disable_fill_missing => true,
14
- :default_src => 'https://*',
15
- :report_uri => '/csp_report',
16
- :script_src => 'inline eval https://* data:',
17
- :style_src => "inline https://* about:"
18
- }
19
- end
20
-
21
- def should_assign_header name, value
22
- expect(headers).to receive(:[]=).with(name, value)
23
- end
24
-
25
- def call_middleware(hashes = [])
26
- options = {
27
- :ua => USER_AGENTS[:chrome]
28
- }
29
- expect(env).to receive(:[]).with(HASHES_ENV_KEY).and_return(hashes)
30
- expect(env).to receive(:[]).with(ENV_KEY).and_return(
31
- :config => default_config,
32
- :options => options
33
- )
34
- ContentSecurityPolicy::ScriptHashMiddleware.new(app).call(env)
35
- end
36
-
37
- it "adds hashes stored in env to the header" do
38
- should_assign_header(HEADER_NAME + "-Report-Only", /script-src[^;]*'sha256-/)
39
- call_middleware(['sha256-abc123'])
40
- end
41
-
42
- it "leaves things alone when no hashes are saved to env" do
43
- should_assign_header(HEADER_NAME + "-Report-Only", /script-src[^;]*(?!'sha256-)/)
44
- call_middleware()
45
- end
46
- end
47
- end