secure_headers 2.5.3 → 3.0.0.pre
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.rspec +1 -0
- data/.travis.yml +2 -1
- data/Gemfile +9 -16
- data/README.md +154 -331
- data/Rakefile +2 -36
- data/lib/secure_headers/configuration.rb +189 -0
- data/lib/secure_headers/headers/content_security_policy.rb +341 -254
- data/lib/secure_headers/headers/public_key_pins.rb +43 -58
- data/lib/secure_headers/headers/strict_transport_security.rb +21 -49
- data/lib/secure_headers/headers/x_content_type_options.rb +18 -33
- data/lib/secure_headers/headers/x_download_options.rb +18 -33
- data/lib/secure_headers/headers/x_frame_options.rb +24 -34
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +19 -34
- data/lib/secure_headers/headers/x_xss_protection.rb +17 -48
- data/lib/secure_headers/middleware.rb +15 -0
- data/lib/secure_headers/padrino.rb +1 -2
- data/lib/secure_headers/railtie.rb +9 -6
- data/lib/secure_headers/view_helper.rb +27 -43
- data/lib/secure_headers.rb +254 -61
- data/secure_headers.gemspec +7 -12
- data/spec/lib/secure_headers/configuration_spec.rb +80 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +111 -276
- data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +17 -17
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +11 -43
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +11 -18
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +13 -17
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +15 -17
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +22 -39
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -30
- data/spec/lib/secure_headers/middleware_spec.rb +40 -0
- data/spec/lib/secure_headers_spec.rb +201 -339
- data/spec/spec_helper.rb +30 -30
- data/upgrading-to-3-0.md +35 -0
- metadata +14 -100
- data/fixtures/rails_3_2_22/.rspec +0 -1
- data/fixtures/rails_3_2_22/Gemfile +0 -6
- data/fixtures/rails_3_2_22/README.rdoc +0 -261
- data/fixtures/rails_3_2_22/Rakefile +0 -7
- data/fixtures/rails_3_2_22/app/controllers/application_controller.rb +0 -4
- data/fixtures/rails_3_2_22/app/controllers/other_things_controller.rb +0 -5
- data/fixtures/rails_3_2_22/app/controllers/things_controller.rb +0 -5
- data/fixtures/rails_3_2_22/app/models/.gitkeep +0 -0
- data/fixtures/rails_3_2_22/app/views/layouts/application.html.erb +0 -11
- data/fixtures/rails_3_2_22/app/views/other_things/index.html.erb +0 -2
- data/fixtures/rails_3_2_22/app/views/things/index.html.erb +0 -1
- data/fixtures/rails_3_2_22/config/application.rb +0 -14
- data/fixtures/rails_3_2_22/config/boot.rb +0 -6
- data/fixtures/rails_3_2_22/config/environment.rb +0 -5
- data/fixtures/rails_3_2_22/config/environments/test.rb +0 -37
- data/fixtures/rails_3_2_22/config/initializers/secure_headers.rb +0 -16
- data/fixtures/rails_3_2_22/config/routes.rb +0 -4
- data/fixtures/rails_3_2_22/config/script_hashes.yml +0 -5
- data/fixtures/rails_3_2_22/config.ru +0 -7
- data/fixtures/rails_3_2_22/lib/assets/.gitkeep +0 -0
- data/fixtures/rails_3_2_22/lib/tasks/.gitkeep +0 -0
- data/fixtures/rails_3_2_22/log/.gitkeep +0 -0
- data/fixtures/rails_3_2_22/spec/controllers/other_things_controller_spec.rb +0 -83
- data/fixtures/rails_3_2_22/spec/controllers/things_controller_spec.rb +0 -54
- data/fixtures/rails_3_2_22/spec/spec_helper.rb +0 -15
- data/fixtures/rails_3_2_22/vendor/assets/javascripts/.gitkeep +0 -0
- data/fixtures/rails_3_2_22/vendor/assets/stylesheets/.gitkeep +0 -0
- data/fixtures/rails_3_2_22/vendor/plugins/.gitkeep +0 -0
- data/fixtures/rails_3_2_22_no_init/.rspec +0 -1
- data/fixtures/rails_3_2_22_no_init/Gemfile +0 -6
- data/fixtures/rails_3_2_22_no_init/README.rdoc +0 -261
- data/fixtures/rails_3_2_22_no_init/Rakefile +0 -7
- data/fixtures/rails_3_2_22_no_init/app/controllers/application_controller.rb +0 -4
- data/fixtures/rails_3_2_22_no_init/app/controllers/other_things_controller.rb +0 -20
- data/fixtures/rails_3_2_22_no_init/app/controllers/things_controller.rb +0 -5
- data/fixtures/rails_3_2_22_no_init/app/models/.gitkeep +0 -0
- data/fixtures/rails_3_2_22_no_init/app/views/layouts/application.html.erb +0 -12
- data/fixtures/rails_3_2_22_no_init/app/views/other_things/index.html.erb +0 -1
- data/fixtures/rails_3_2_22_no_init/app/views/things/index.html.erb +0 -0
- data/fixtures/rails_3_2_22_no_init/config/application.rb +0 -17
- data/fixtures/rails_3_2_22_no_init/config/boot.rb +0 -6
- data/fixtures/rails_3_2_22_no_init/config/environment.rb +0 -5
- data/fixtures/rails_3_2_22_no_init/config/environments/test.rb +0 -37
- data/fixtures/rails_3_2_22_no_init/config/routes.rb +0 -4
- data/fixtures/rails_3_2_22_no_init/config.ru +0 -4
- data/fixtures/rails_3_2_22_no_init/lib/assets/.gitkeep +0 -0
- data/fixtures/rails_3_2_22_no_init/lib/tasks/.gitkeep +0 -0
- data/fixtures/rails_3_2_22_no_init/log/.gitkeep +0 -0
- data/fixtures/rails_3_2_22_no_init/spec/controllers/other_things_controller_spec.rb +0 -56
- data/fixtures/rails_3_2_22_no_init/spec/controllers/things_controller_spec.rb +0 -54
- data/fixtures/rails_3_2_22_no_init/spec/spec_helper.rb +0 -5
- data/fixtures/rails_3_2_22_no_init/vendor/assets/javascripts/.gitkeep +0 -0
- data/fixtures/rails_3_2_22_no_init/vendor/assets/stylesheets/.gitkeep +0 -0
- data/fixtures/rails_3_2_22_no_init/vendor/plugins/.gitkeep +0 -0
- data/fixtures/rails_4_1_8/Gemfile +0 -5
- data/fixtures/rails_4_1_8/README.rdoc +0 -28
- data/fixtures/rails_4_1_8/Rakefile +0 -6
- data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +0 -4
- data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +0 -5
- data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +0 -5
- data/fixtures/rails_4_1_8/app/models/.keep +0 -0
- data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +0 -11
- data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +0 -2
- data/fixtures/rails_4_1_8/app/views/things/index.html.erb +0 -1
- data/fixtures/rails_4_1_8/config/application.rb +0 -15
- data/fixtures/rails_4_1_8/config/boot.rb +0 -4
- data/fixtures/rails_4_1_8/config/environment.rb +0 -5
- data/fixtures/rails_4_1_8/config/environments/test.rb +0 -10
- data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +0 -16
- data/fixtures/rails_4_1_8/config/routes.rb +0 -4
- data/fixtures/rails_4_1_8/config/script_hashes.yml +0 -5
- data/fixtures/rails_4_1_8/config/secrets.yml +0 -22
- data/fixtures/rails_4_1_8/config.ru +0 -4
- data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
- data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
- data/fixtures/rails_4_1_8/log/.keep +0 -0
- data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +0 -83
- data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +0 -59
- data/fixtures/rails_4_1_8/spec/spec_helper.rb +0 -15
- data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
- data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
- data/lib/secure_headers/controller_extension.rb +0 -158
- data/lib/secure_headers/hash_helper.rb +0 -7
- data/lib/secure_headers/header.rb +0 -5
- data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +0 -22
- data/lib/secure_headers/version.rb +0 -3
- data/lib/tasks/tasks.rake +0 -48
- data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +0 -46
data/upgrading-to-3-0.md
ADDED
@@ -0,0 +1,35 @@
|
|
1
|
+
`secure_headers` 3.0 is a near-complete rewrite. It includes breaking changes and removes a lot of features that were either leftover from the days when the CSP standard was not fully adopted or were just downright confusing.
|
2
|
+
|
3
|
+
Changes
|
4
|
+
==
|
5
|
+
|
6
|
+
| What | < = 2.x | >= 3.0 |
|
7
|
+
|----------------------------------|----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
8
|
+
| Global configuration | `SecureHeaders::Configuration.configure` block | `SecureHeaders::Configuration.default` block |
|
9
|
+
| All headers besides HPKP and CSP | Accept hashes as config values | Must be strings (validated during configuration) |
|
10
|
+
| CSP directive values | Accepted space delimited strings OR arrays of strings | Must be arrays of strings |
|
11
|
+
| `self`/`none` source expressions | could be `self` / `none` / `'self'` / `'none'` | Must be `'self'` or `'none'` |
|
12
|
+
| `inline` / `eval` source expressions | could be `inline`, `eval`, `'unsafe-inline'`, or `'unsafe-eval'` | Must be `'unsafe-eval'` or `'unsafe-inline'` |
|
13
|
+
| Per-action configuration | override [`def secure_header_options_for(header, options)`](https://github.com/twitter/secureheaders/commit/bb9ebc6c12a677aad29af8e0f08ffd1def56efec#diff-04c6e90faac2675aa89e2176d2eec7d8R111) | Use [named overrides](https://github.com/twitter/secureheaders#named-overrides) or [per-action helpers](https://github.com/twitter/secureheaders#per-action-configuration) |
|
14
|
+
|
15
|
+
Migrating to 3.x from <= 2.x
|
16
|
+
==
|
17
|
+
|
18
|
+
1. Convert all headers except for CSP/HPKP using hashes to string values. The values are validated at runtime and will provide guidance on misconfigured headers.
|
19
|
+
1. Convert all instances of `self`/`none`/`eval`/`inline` to the corresponding values in the above table.
|
20
|
+
1. Convert all CSP space-delimited directives to an array of strings.
|
21
|
+
|
22
|
+
Everything is terrible, why should I upgrade?
|
23
|
+
==
|
24
|
+
|
25
|
+
`secure_headers` <= 2.x built every header per request using a series of automatically included `before_filters`. This is horribly inefficient because:
|
26
|
+
|
27
|
+
1. `before_filters` are slow and adding 8 per request isn't great
|
28
|
+
1. We are rebuilding strings that may never change for every request
|
29
|
+
1. Errors in the request may mean that the headers never get set in the first place
|
30
|
+
|
31
|
+
`secure_headers` 3.x sets headers in rack middleware that runs once per request and uses configuration values passed via `request.env`. This is much more efficient and somewhat guarantees that headers will always be set. **The values for the headers are cached and reused per request**.
|
32
|
+
|
33
|
+
Also, there is a more flexible API for customizing content security policies / X-Frame-Options. In practice, none of the other headers need granular controls. One way of customizing headers per request is to use the helper methods. The only downside of this technique is that headers will be computed from scratch.
|
34
|
+
|
35
|
+
See the [README](README.md) for more information.
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 3.0.0.pre
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2015-12-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -25,7 +25,7 @@ dependencies:
|
|
25
25
|
- !ruby/object:Gem::Version
|
26
26
|
version: '0'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
|
-
name:
|
28
|
+
name: useragent
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - ">="
|
@@ -46,6 +46,7 @@ extensions: []
|
|
46
46
|
extra_rdoc_files: []
|
47
47
|
files:
|
48
48
|
- ".gitignore"
|
49
|
+
- ".rspec"
|
49
50
|
- ".ruby-gemset"
|
50
51
|
- ".ruby-version"
|
51
52
|
- ".travis.yml"
|
@@ -54,95 +55,9 @@ files:
|
|
54
55
|
- LICENSE
|
55
56
|
- README.md
|
56
57
|
- Rakefile
|
57
|
-
- fixtures/rails_3_2_22/.rspec
|
58
|
-
- fixtures/rails_3_2_22/Gemfile
|
59
|
-
- fixtures/rails_3_2_22/README.rdoc
|
60
|
-
- fixtures/rails_3_2_22/Rakefile
|
61
|
-
- fixtures/rails_3_2_22/app/controllers/application_controller.rb
|
62
|
-
- fixtures/rails_3_2_22/app/controllers/other_things_controller.rb
|
63
|
-
- fixtures/rails_3_2_22/app/controllers/things_controller.rb
|
64
|
-
- fixtures/rails_3_2_22/app/models/.gitkeep
|
65
|
-
- fixtures/rails_3_2_22/app/views/layouts/application.html.erb
|
66
|
-
- fixtures/rails_3_2_22/app/views/other_things/index.html.erb
|
67
|
-
- fixtures/rails_3_2_22/app/views/things/index.html.erb
|
68
|
-
- fixtures/rails_3_2_22/config.ru
|
69
|
-
- fixtures/rails_3_2_22/config/application.rb
|
70
|
-
- fixtures/rails_3_2_22/config/boot.rb
|
71
|
-
- fixtures/rails_3_2_22/config/environment.rb
|
72
|
-
- fixtures/rails_3_2_22/config/environments/test.rb
|
73
|
-
- fixtures/rails_3_2_22/config/initializers/secure_headers.rb
|
74
|
-
- fixtures/rails_3_2_22/config/routes.rb
|
75
|
-
- fixtures/rails_3_2_22/config/script_hashes.yml
|
76
|
-
- fixtures/rails_3_2_22/lib/assets/.gitkeep
|
77
|
-
- fixtures/rails_3_2_22/lib/tasks/.gitkeep
|
78
|
-
- fixtures/rails_3_2_22/log/.gitkeep
|
79
|
-
- fixtures/rails_3_2_22/spec/controllers/other_things_controller_spec.rb
|
80
|
-
- fixtures/rails_3_2_22/spec/controllers/things_controller_spec.rb
|
81
|
-
- fixtures/rails_3_2_22/spec/spec_helper.rb
|
82
|
-
- fixtures/rails_3_2_22/vendor/assets/javascripts/.gitkeep
|
83
|
-
- fixtures/rails_3_2_22/vendor/assets/stylesheets/.gitkeep
|
84
|
-
- fixtures/rails_3_2_22/vendor/plugins/.gitkeep
|
85
|
-
- fixtures/rails_3_2_22_no_init/.rspec
|
86
|
-
- fixtures/rails_3_2_22_no_init/Gemfile
|
87
|
-
- fixtures/rails_3_2_22_no_init/README.rdoc
|
88
|
-
- fixtures/rails_3_2_22_no_init/Rakefile
|
89
|
-
- fixtures/rails_3_2_22_no_init/app/controllers/application_controller.rb
|
90
|
-
- fixtures/rails_3_2_22_no_init/app/controllers/other_things_controller.rb
|
91
|
-
- fixtures/rails_3_2_22_no_init/app/controllers/things_controller.rb
|
92
|
-
- fixtures/rails_3_2_22_no_init/app/models/.gitkeep
|
93
|
-
- fixtures/rails_3_2_22_no_init/app/views/layouts/application.html.erb
|
94
|
-
- fixtures/rails_3_2_22_no_init/app/views/other_things/index.html.erb
|
95
|
-
- fixtures/rails_3_2_22_no_init/app/views/things/index.html.erb
|
96
|
-
- fixtures/rails_3_2_22_no_init/config.ru
|
97
|
-
- fixtures/rails_3_2_22_no_init/config/application.rb
|
98
|
-
- fixtures/rails_3_2_22_no_init/config/boot.rb
|
99
|
-
- fixtures/rails_3_2_22_no_init/config/environment.rb
|
100
|
-
- fixtures/rails_3_2_22_no_init/config/environments/test.rb
|
101
|
-
- fixtures/rails_3_2_22_no_init/config/routes.rb
|
102
|
-
- fixtures/rails_3_2_22_no_init/lib/assets/.gitkeep
|
103
|
-
- fixtures/rails_3_2_22_no_init/lib/tasks/.gitkeep
|
104
|
-
- fixtures/rails_3_2_22_no_init/log/.gitkeep
|
105
|
-
- fixtures/rails_3_2_22_no_init/spec/controllers/other_things_controller_spec.rb
|
106
|
-
- fixtures/rails_3_2_22_no_init/spec/controllers/things_controller_spec.rb
|
107
|
-
- fixtures/rails_3_2_22_no_init/spec/spec_helper.rb
|
108
|
-
- fixtures/rails_3_2_22_no_init/vendor/assets/javascripts/.gitkeep
|
109
|
-
- fixtures/rails_3_2_22_no_init/vendor/assets/stylesheets/.gitkeep
|
110
|
-
- fixtures/rails_3_2_22_no_init/vendor/plugins/.gitkeep
|
111
|
-
- fixtures/rails_4_1_8/Gemfile
|
112
|
-
- fixtures/rails_4_1_8/README.rdoc
|
113
|
-
- fixtures/rails_4_1_8/Rakefile
|
114
|
-
- fixtures/rails_4_1_8/app/controllers/application_controller.rb
|
115
|
-
- fixtures/rails_4_1_8/app/controllers/concerns/.keep
|
116
|
-
- fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
|
117
|
-
- fixtures/rails_4_1_8/app/controllers/things_controller.rb
|
118
|
-
- fixtures/rails_4_1_8/app/models/.keep
|
119
|
-
- fixtures/rails_4_1_8/app/models/concerns/.keep
|
120
|
-
- fixtures/rails_4_1_8/app/views/layouts/application.html.erb
|
121
|
-
- fixtures/rails_4_1_8/app/views/other_things/index.html.erb
|
122
|
-
- fixtures/rails_4_1_8/app/views/things/index.html.erb
|
123
|
-
- fixtures/rails_4_1_8/config.ru
|
124
|
-
- fixtures/rails_4_1_8/config/application.rb
|
125
|
-
- fixtures/rails_4_1_8/config/boot.rb
|
126
|
-
- fixtures/rails_4_1_8/config/environment.rb
|
127
|
-
- fixtures/rails_4_1_8/config/environments/test.rb
|
128
|
-
- fixtures/rails_4_1_8/config/initializers/secure_headers.rb
|
129
|
-
- fixtures/rails_4_1_8/config/routes.rb
|
130
|
-
- fixtures/rails_4_1_8/config/script_hashes.yml
|
131
|
-
- fixtures/rails_4_1_8/config/secrets.yml
|
132
|
-
- fixtures/rails_4_1_8/lib/assets/.keep
|
133
|
-
- fixtures/rails_4_1_8/lib/tasks/.keep
|
134
|
-
- fixtures/rails_4_1_8/log/.keep
|
135
|
-
- fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
|
136
|
-
- fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb
|
137
|
-
- fixtures/rails_4_1_8/spec/spec_helper.rb
|
138
|
-
- fixtures/rails_4_1_8/vendor/assets/javascripts/.keep
|
139
|
-
- fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep
|
140
58
|
- lib/secure_headers.rb
|
141
|
-
- lib/secure_headers/
|
142
|
-
- lib/secure_headers/hash_helper.rb
|
143
|
-
- lib/secure_headers/header.rb
|
59
|
+
- lib/secure_headers/configuration.rb
|
144
60
|
- lib/secure_headers/headers/content_security_policy.rb
|
145
|
-
- lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
|
146
61
|
- lib/secure_headers/headers/public_key_pins.rb
|
147
62
|
- lib/secure_headers/headers/strict_transport_security.rb
|
148
63
|
- lib/secure_headers/headers/x_content_type_options.rb
|
@@ -150,13 +65,12 @@ files:
|
|
150
65
|
- lib/secure_headers/headers/x_frame_options.rb
|
151
66
|
- lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
|
152
67
|
- lib/secure_headers/headers/x_xss_protection.rb
|
68
|
+
- lib/secure_headers/middleware.rb
|
153
69
|
- lib/secure_headers/padrino.rb
|
154
70
|
- lib/secure_headers/railtie.rb
|
155
|
-
- lib/secure_headers/version.rb
|
156
71
|
- lib/secure_headers/view_helper.rb
|
157
|
-
- lib/tasks/tasks.rake
|
158
72
|
- secure_headers.gemspec
|
159
|
-
- spec/lib/secure_headers/
|
73
|
+
- spec/lib/secure_headers/configuration_spec.rb
|
160
74
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
161
75
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
162
76
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
@@ -165,17 +79,16 @@ files:
|
|
165
79
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
166
80
|
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
167
81
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
82
|
+
- spec/lib/secure_headers/middleware_spec.rb
|
168
83
|
- spec/lib/secure_headers_spec.rb
|
169
84
|
- spec/spec_helper.rb
|
170
85
|
- travis.sh
|
86
|
+
- upgrading-to-3-0.md
|
171
87
|
homepage: https://github.com/twitter/secureheaders
|
172
88
|
licenses:
|
173
89
|
- Apache Public License 2.0
|
174
90
|
metadata: {}
|
175
|
-
post_install_message:
|
176
|
-
It will be maintained, but new features will be added to the 3.x branch. A lot has
|
177
|
-
changed in secure_headers 3.x. A migration guide can be found in the documentation:
|
178
|
-
https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md."
|
91
|
+
post_install_message:
|
179
92
|
rdoc_options: []
|
180
93
|
require_paths:
|
181
94
|
- lib
|
@@ -186,9 +99,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
186
99
|
version: '0'
|
187
100
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
188
101
|
requirements:
|
189
|
-
- - "
|
102
|
+
- - ">"
|
190
103
|
- !ruby/object:Gem::Version
|
191
|
-
version:
|
104
|
+
version: 1.3.1
|
192
105
|
requirements: []
|
193
106
|
rubyforge_project:
|
194
107
|
rubygems_version: 2.4.5.1
|
@@ -197,7 +110,7 @@ specification_version: 4
|
|
197
110
|
summary: Add easily configured security headers to responses including content-security-policy,
|
198
111
|
x-frame-options, strict-transport-security, etc.
|
199
112
|
test_files:
|
200
|
-
- spec/lib/secure_headers/
|
113
|
+
- spec/lib/secure_headers/configuration_spec.rb
|
201
114
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
202
115
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
203
116
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
@@ -206,5 +119,6 @@ test_files:
|
|
206
119
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
207
120
|
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
208
121
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
122
|
+
- spec/lib/secure_headers/middleware_spec.rb
|
209
123
|
- spec/lib/secure_headers_spec.rb
|
210
124
|
- spec/spec_helper.rb
|
@@ -1 +0,0 @@
|
|
1
|
-
--color --format progress
|
@@ -1,261 +0,0 @@
|
|
1
|
-
== Welcome to Rails
|
2
|
-
|
3
|
-
Rails is a web-application framework that includes everything needed to create
|
4
|
-
database-backed web applications according to the Model-View-Control pattern.
|
5
|
-
|
6
|
-
This pattern splits the view (also called the presentation) into "dumb"
|
7
|
-
templates that are primarily responsible for inserting pre-built data in between
|
8
|
-
HTML tags. The model contains the "smart" domain objects (such as Account,
|
9
|
-
Product, Person, Post) that holds all the business logic and knows how to
|
10
|
-
persist themselves to a database. The controller handles the incoming requests
|
11
|
-
(such as Save New Account, Update Product, Show Post) by manipulating the model
|
12
|
-
and directing data to the view.
|
13
|
-
|
14
|
-
In Rails, the model is handled by what's called an object-relational mapping
|
15
|
-
layer entitled Active Record. This layer allows you to present the data from
|
16
|
-
database rows as objects and embellish these data objects with business logic
|
17
|
-
methods. You can read more about Active Record in
|
18
|
-
link:files/vendor/rails/activerecord/README.html.
|
19
|
-
|
20
|
-
The controller and view are handled by the Action Pack, which handles both
|
21
|
-
layers by its two parts: Action View and Action Controller. These two layers
|
22
|
-
are bundled in a single package due to their heavy interdependence. This is
|
23
|
-
unlike the relationship between the Active Record and Action Pack that is much
|
24
|
-
more separate. Each of these packages can be used independently outside of
|
25
|
-
Rails. You can read more about Action Pack in
|
26
|
-
link:files/vendor/rails/actionpack/README.html.
|
27
|
-
|
28
|
-
|
29
|
-
== Getting Started
|
30
|
-
|
31
|
-
1. At the command prompt, create a new Rails application:
|
32
|
-
<tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
|
33
|
-
|
34
|
-
2. Change directory to <tt>myapp</tt> and start the web server:
|
35
|
-
<tt>cd myapp; rails server</tt> (run with --help for options)
|
36
|
-
|
37
|
-
3. Go to http://localhost:3000/ and you'll see:
|
38
|
-
"Welcome aboard: You're riding Ruby on Rails!"
|
39
|
-
|
40
|
-
4. Follow the guidelines to start developing your application. You can find
|
41
|
-
the following resources handy:
|
42
|
-
|
43
|
-
* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
|
44
|
-
* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
|
45
|
-
|
46
|
-
|
47
|
-
== Debugging Rails
|
48
|
-
|
49
|
-
Sometimes your application goes wrong. Fortunately there are a lot of tools that
|
50
|
-
will help you debug it and get it back on the rails.
|
51
|
-
|
52
|
-
First area to check is the application log files. Have "tail -f" commands
|
53
|
-
running on the server.log and development.log. Rails will automatically display
|
54
|
-
debugging and runtime information to these files. Debugging info will also be
|
55
|
-
shown in the browser on requests from 127.0.0.1.
|
56
|
-
|
57
|
-
You can also log your own messages directly into the log file from your code
|
58
|
-
using the Ruby logger class from inside your controllers. Example:
|
59
|
-
|
60
|
-
class WeblogController < ActionController::Base
|
61
|
-
def destroy
|
62
|
-
@weblog = Weblog.find(params[:id])
|
63
|
-
@weblog.destroy
|
64
|
-
logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
|
65
|
-
end
|
66
|
-
end
|
67
|
-
|
68
|
-
The result will be a message in your log file along the lines of:
|
69
|
-
|
70
|
-
Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
|
71
|
-
|
72
|
-
More information on how to use the logger is at http://www.ruby-doc.org/core/
|
73
|
-
|
74
|
-
Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
|
75
|
-
several books available online as well:
|
76
|
-
|
77
|
-
* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
|
78
|
-
* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
|
79
|
-
|
80
|
-
These two books will bring you up to speed on the Ruby language and also on
|
81
|
-
programming in general.
|
82
|
-
|
83
|
-
|
84
|
-
== Debugger
|
85
|
-
|
86
|
-
Debugger support is available through the debugger command when you start your
|
87
|
-
Mongrel or WEBrick server with --debugger. This means that you can break out of
|
88
|
-
execution at any point in the code, investigate and change the model, and then,
|
89
|
-
resume execution! You need to install ruby-debug to run the server in debugging
|
90
|
-
mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
|
91
|
-
|
92
|
-
class WeblogController < ActionController::Base
|
93
|
-
def index
|
94
|
-
@posts = Post.all
|
95
|
-
debugger
|
96
|
-
end
|
97
|
-
end
|
98
|
-
|
99
|
-
So the controller will accept the action, run the first line, then present you
|
100
|
-
with a IRB prompt in the server window. Here you can do things like:
|
101
|
-
|
102
|
-
>> @posts.inspect
|
103
|
-
=> "[#<Post:0x14a6be8
|
104
|
-
@attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
|
105
|
-
#<Post:0x14a6620
|
106
|
-
@attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
|
107
|
-
>> @posts.first.title = "hello from a debugger"
|
108
|
-
=> "hello from a debugger"
|
109
|
-
|
110
|
-
...and even better, you can examine how your runtime objects actually work:
|
111
|
-
|
112
|
-
>> f = @posts.first
|
113
|
-
=> #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
|
114
|
-
>> f.
|
115
|
-
Display all 152 possibilities? (y or n)
|
116
|
-
|
117
|
-
Finally, when you're ready to resume execution, you can enter "cont".
|
118
|
-
|
119
|
-
|
120
|
-
== Console
|
121
|
-
|
122
|
-
The console is a Ruby shell, which allows you to interact with your
|
123
|
-
application's domain model. Here you'll have all parts of the application
|
124
|
-
configured, just like it is when the application is running. You can inspect
|
125
|
-
domain models, change values, and save to the database. Starting the script
|
126
|
-
without arguments will launch it in the development environment.
|
127
|
-
|
128
|
-
To start the console, run <tt>rails console</tt> from the application
|
129
|
-
directory.
|
130
|
-
|
131
|
-
Options:
|
132
|
-
|
133
|
-
* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
|
134
|
-
made to the database.
|
135
|
-
* Passing an environment name as an argument will load the corresponding
|
136
|
-
environment. Example: <tt>rails console production</tt>.
|
137
|
-
|
138
|
-
To reload your controllers and models after launching the console run
|
139
|
-
<tt>reload!</tt>
|
140
|
-
|
141
|
-
More information about irb can be found at:
|
142
|
-
link:http://www.rubycentral.org/pickaxe/irb.html
|
143
|
-
|
144
|
-
|
145
|
-
== dbconsole
|
146
|
-
|
147
|
-
You can go to the command line of your database directly through <tt>rails
|
148
|
-
dbconsole</tt>. You would be connected to the database with the credentials
|
149
|
-
defined in database.yml. Starting the script without arguments will connect you
|
150
|
-
to the development database. Passing an argument will connect you to a different
|
151
|
-
database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
|
152
|
-
PostgreSQL and SQLite 3.
|
153
|
-
|
154
|
-
== Description of Contents
|
155
|
-
|
156
|
-
The default directory structure of a generated Ruby on Rails application:
|
157
|
-
|
158
|
-
|-- app
|
159
|
-
| |-- assets
|
160
|
-
| |-- images
|
161
|
-
| |-- javascripts
|
162
|
-
| `-- stylesheets
|
163
|
-
| |-- controllers
|
164
|
-
| |-- helpers
|
165
|
-
| |-- mailers
|
166
|
-
| |-- models
|
167
|
-
| `-- views
|
168
|
-
| `-- layouts
|
169
|
-
|-- config
|
170
|
-
| |-- environments
|
171
|
-
| |-- initializers
|
172
|
-
| `-- locales
|
173
|
-
|-- db
|
174
|
-
|-- doc
|
175
|
-
|-- lib
|
176
|
-
| `-- tasks
|
177
|
-
|-- log
|
178
|
-
|-- public
|
179
|
-
|-- script
|
180
|
-
|-- test
|
181
|
-
| |-- fixtures
|
182
|
-
| |-- functional
|
183
|
-
| |-- integration
|
184
|
-
| |-- performance
|
185
|
-
| `-- unit
|
186
|
-
|-- tmp
|
187
|
-
| |-- cache
|
188
|
-
| |-- pids
|
189
|
-
| |-- sessions
|
190
|
-
| `-- sockets
|
191
|
-
`-- vendor
|
192
|
-
|-- assets
|
193
|
-
`-- stylesheets
|
194
|
-
`-- plugins
|
195
|
-
|
196
|
-
app
|
197
|
-
Holds all the code that's specific to this particular application.
|
198
|
-
|
199
|
-
app/assets
|
200
|
-
Contains subdirectories for images, stylesheets, and JavaScript files.
|
201
|
-
|
202
|
-
app/controllers
|
203
|
-
Holds controllers that should be named like weblogs_controller.rb for
|
204
|
-
automated URL mapping. All controllers should descend from
|
205
|
-
ApplicationController which itself descends from ActionController::Base.
|
206
|
-
|
207
|
-
app/models
|
208
|
-
Holds models that should be named like post.rb. Models descend from
|
209
|
-
ActiveRecord::Base by default.
|
210
|
-
|
211
|
-
app/views
|
212
|
-
Holds the template files for the view that should be named like
|
213
|
-
weblogs/index.html.erb for the WeblogsController#index action. All views use
|
214
|
-
eRuby syntax by default.
|
215
|
-
|
216
|
-
app/views/layouts
|
217
|
-
Holds the template files for layouts to be used with views. This models the
|
218
|
-
common header/footer method of wrapping views. In your views, define a layout
|
219
|
-
using the <tt>layout :default</tt> and create a file named default.html.erb.
|
220
|
-
Inside default.html.erb, call <% yield %> to render the view using this
|
221
|
-
layout.
|
222
|
-
|
223
|
-
app/helpers
|
224
|
-
Holds view helpers that should be named like weblogs_helper.rb. These are
|
225
|
-
generated for you automatically when using generators for controllers.
|
226
|
-
Helpers can be used to wrap functionality for your views into methods.
|
227
|
-
|
228
|
-
config
|
229
|
-
Configuration files for the Rails environment, the routing map, the database,
|
230
|
-
and other dependencies.
|
231
|
-
|
232
|
-
db
|
233
|
-
Contains the database schema in schema.rb. db/migrate contains all the
|
234
|
-
sequence of Migrations for your schema.
|
235
|
-
|
236
|
-
doc
|
237
|
-
This directory is where your application documentation will be stored when
|
238
|
-
generated using <tt>rake doc:app</tt>
|
239
|
-
|
240
|
-
lib
|
241
|
-
Application specific libraries. Basically, any kind of custom code that
|
242
|
-
doesn't belong under controllers, models, or helpers. This directory is in
|
243
|
-
the load path.
|
244
|
-
|
245
|
-
public
|
246
|
-
The directory available for the web server. Also contains the dispatchers and the
|
247
|
-
default HTML files. This should be set as the DOCUMENT_ROOT of your web
|
248
|
-
server.
|
249
|
-
|
250
|
-
script
|
251
|
-
Helper scripts for automation and generation.
|
252
|
-
|
253
|
-
test
|
254
|
-
Unit and functional tests along with fixtures. When using the rails generate
|
255
|
-
command, template test files will be generated for you and placed in this
|
256
|
-
directory.
|
257
|
-
|
258
|
-
vendor
|
259
|
-
External libraries that the application depends on. Also includes the plugins
|
260
|
-
subdirectory. If the app has frozen rails, those gems also go here, under
|
261
|
-
vendor/rails/. This directory is in the load path.
|
@@ -1,7 +0,0 @@
|
|
1
|
-
#!/usr/bin/env rake
|
2
|
-
# Add your own tasks in files placed in lib/tasks ending in .rake,
|
3
|
-
# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
|
4
|
-
|
5
|
-
require File.expand_path('../config/application', __FILE__)
|
6
|
-
|
7
|
-
Rails3212::Application.load_tasks
|
File without changes
|
@@ -1 +0,0 @@
|
|
1
|
-
things
|
@@ -1,14 +0,0 @@
|
|
1
|
-
require File.expand_path('../boot', __FILE__)
|
2
|
-
|
3
|
-
require "action_controller/railtie"
|
4
|
-
require "sprockets/railtie"
|
5
|
-
|
6
|
-
if defined?(Bundler)
|
7
|
-
Bundler.require(*Rails.groups(:assets => %w(development test)))
|
8
|
-
end
|
9
|
-
|
10
|
-
module Rails3212
|
11
|
-
class Application < Rails::Application
|
12
|
-
|
13
|
-
end
|
14
|
-
end
|
@@ -1,37 +0,0 @@
|
|
1
|
-
Rails3212::Application.configure do
|
2
|
-
# Settings specified here will take precedence over those in config/application.rb
|
3
|
-
|
4
|
-
# The test environment is used exclusively to run your application's
|
5
|
-
# test suite. You never need to work with it otherwise. Remember that
|
6
|
-
# your test database is "scratch space" for the test suite and is wiped
|
7
|
-
# and recreated between test runs. Don't rely on the data there!
|
8
|
-
config.cache_classes = true
|
9
|
-
|
10
|
-
# Configure static asset server for tests with Cache-Control for performance
|
11
|
-
config.serve_static_assets = true
|
12
|
-
config.static_cache_control = "public, max-age=3600"
|
13
|
-
|
14
|
-
# Log error messages when you accidentally call methods on nil
|
15
|
-
config.whiny_nils = true
|
16
|
-
|
17
|
-
# Show full error reports and disable caching
|
18
|
-
config.consider_all_requests_local = true
|
19
|
-
config.action_controller.perform_caching = false
|
20
|
-
|
21
|
-
# Raise exceptions instead of rendering exception templates
|
22
|
-
config.action_dispatch.show_exceptions = false
|
23
|
-
|
24
|
-
# Disable request forgery protection in test environment
|
25
|
-
config.action_controller.allow_forgery_protection = false
|
26
|
-
|
27
|
-
# Tell Action Mailer not to deliver emails to the real world.
|
28
|
-
# The :test delivery method accumulates sent emails in the
|
29
|
-
# ActionMailer::Base.deliveries array.
|
30
|
-
# config.action_mailer.delivery_method = :test
|
31
|
-
|
32
|
-
# Raise exception on mass assignment protection for Active Record models
|
33
|
-
# config.active_record.mass_assignment_sanitizer = :strict
|
34
|
-
|
35
|
-
# Print deprecation notices to the stderr
|
36
|
-
config.active_support.deprecation = :stderr
|
37
|
-
end
|
@@ -1,16 +0,0 @@
|
|
1
|
-
::SecureHeaders::Configuration.configure do |config|
|
2
|
-
config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
|
3
|
-
config.x_frame_options = 'SAMEORIGIN'
|
4
|
-
config.x_content_type_options = "nosniff"
|
5
|
-
config.x_xss_protection = {:value => 1, :mode => 'block'}
|
6
|
-
config.x_permitted_cross_domain_policies = 'none'
|
7
|
-
csp = {
|
8
|
-
:default_src => "'self'",
|
9
|
-
:script_src => "'self' nonce",
|
10
|
-
:report_uri => 'somewhere',
|
11
|
-
:script_hash_middleware => true,
|
12
|
-
:enforce => false # false means warnings only
|
13
|
-
}
|
14
|
-
|
15
|
-
config.csp = csp
|
16
|
-
end
|
@@ -1,7 +0,0 @@
|
|
1
|
-
# This file is used by Rack-based servers to start the application.
|
2
|
-
|
3
|
-
require ::File.expand_path('../config/environment', __FILE__)
|
4
|
-
run Rails3212::Application
|
5
|
-
|
6
|
-
require 'secure_headers/headers/content_security_policy/script_hash_middleware'
|
7
|
-
use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware
|
File without changes
|
File without changes
|