secure_headers 3.0.3 → 3.1.0

data/lib/secure_headers/headers/x_content_type_options.rb

@@ -1,6 +1,6 @@
 module SecureHeaders
   class XContentTypeOptionsConfigError < StandardError; end
-  # IE only
+
   class XContentTypeOptions
     HEADER_NAME = "X-Content-Type-Options"
     DEFAULT_VALUE = "nosniff"

data/lib/secure_headers/middleware.rb

@@ -1,5 +1,7 @@
 module SecureHeaders
   class Middleware
+    SECURE_COOKIE_REGEXP = /;\s*secure\s*(;|$)/i.freeze
+
     def initialize(app)
       @app = app
     end
@@ -8,8 +10,29 @@ module SecureHeaders
     def call(env)
       req = Rack::Request.new(env)
       status, headers, response = @app.call(env)
+
+      config = SecureHeaders.config_for(req)
+      flag_cookies_as_secure!(headers) if config.secure_cookies
       headers.merge!(SecureHeaders.header_hash_for(req))
       [status, headers, response]
     end
+
+    private
+
+    # inspired by https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194
+    def flag_cookies_as_secure!(headers)
+      if cookies = headers['Set-Cookie']
+        # Support Rails 2.3 / Rack 1.1 arrays as headers
+        cookies = cookies.split("\n") unless cookies.is_a?(Array)
+
+        headers['Set-Cookie'] = cookies.map do |cookie|
+          if cookie !~ SECURE_COOKIE_REGEXP
+            "#{cookie}; secure"
+          else
+            cookie
+          end
+        end.join("\n")
+      end
+    end
   end
 end

data/lib/secure_headers/railtie.rb

@@ -10,7 +10,7 @@ if defined?(Rails::Railtie)
                              'Public-Key-Pins', 'Public-Key-Pins-Report-Only']
 
       initializer "secure_headers.middleware" do
-        Rails.application.config.middleware.use SecureHeaders::Middleware
+        Rails.application.config.middleware.insert_before 0, SecureHeaders::Middleware
       end
 
       initializer "secure_headers.action_controller" do

data/secure_headers.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.0.3"
+  gem.version       = "3.1.0"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers/configuration_spec.rb

@@ -29,16 +29,14 @@ module SecureHeaders
       expect_default_values(header_hash)
     end
 
-    it "copies all config values except for the cached headers when dup" do
+    it "copies config values when duping" do
       Configuration.override(:test_override, Configuration::NOOP_CONFIGURATION) do
         # do nothing, just copy it
       end
 
       config = Configuration.get(:test_override)
       noop = Configuration.get(Configuration::NOOP_CONFIGURATION)
-      [:hsts, :x_frame_options, :x_content_type_options, :x_xss_protection,
-        :x_download_options, :x_permitted_cross_domain_policies, :hpkp, :csp].each do |key|
-
+      [:csp, :dynamic_csp, :secure_cookies].each do |key|
         expect(config.send(key)).to eq(noop.send(key)), "Value not copied: #{key}."
       end
     end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -22,181 +22,6 @@ module SecureHeaders
       end
     end
 
-    describe "#validate_config!" do
-      it "accepts all keys" do
-        # (pulled from README)
-        config = {
-          # "meta" values. these will shaped the header, but the values are not included in the header.
-          report_only:  true,     # default: false
-          preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
-
-          # directive values: these values will directly translate into source directives
-          default_src: %w(https: 'self'),
-          frame_src: %w('self' *.twimg.com itunes.apple.com),
-          connect_src: %w(wws:),
-          font_src: %w('self' data:),
-          img_src: %w(mycdn.com data:),
-          media_src: %w(utoob.com),
-          object_src: %w('self'),
-          script_src: %w('self'),
-          style_src: %w('unsafe-inline'),
-          base_uri: %w('self'),
-          child_src: %w('self'),
-          form_action: %w('self' github.com),
-          frame_ancestors: %w('none'),
-          plugin_types: %w(application/x-shockwave-flash),
-          block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
-          upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
-          report_uri: %w(https://example.com/uri-directive)
-        }
-
-        CSP.validate_config!(config)
-      end
-
-      it "requires a :default_src value" do
-        expect do
-          CSP.validate_config!(script_src: %('self'))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "requires :report_only to be a truthy value" do
-        expect do
-          CSP.validate_config!(default_opts.merge(report_only: "steve"))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "requires :preserve_schemes to be a truthy value" do
-        expect do
-          CSP.validate_config!(default_opts.merge(preserve_schemes: "steve"))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "requires :block_all_mixed_content to be a boolean value" do
-        expect do
-          CSP.validate_config!(default_opts.merge(block_all_mixed_content: "steve"))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "requires :upgrade_insecure_requests to be a boolean value" do
-        expect do
-          CSP.validate_config!(default_opts.merge(upgrade_insecure_requests: "steve"))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "requires all source lists to be an array of strings" do
-        expect do
-          CSP.validate_config!(default_src: "steve")
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "allows nil values" do
-        expect do
-          CSP.validate_config!(default_src: %w('self'), script_src: ["https:", nil])
-        end.to_not raise_error
-      end
-
-      it "rejects unknown directives / config" do
-        expect do
-          CSP.validate_config!(default_src: %w('self'), default_src_totally_mispelled: "steve")
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      # this is mostly to ensure people don't use the antiquated shorthands common in other configs
-      it "performs light validation on source lists" do
-        expect do
-          CSP.validate_config!(default_src: %w(self none inline eval))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-    end
-
-    describe "#combine_policies" do
-      it "combines the default-src value with the override if the directive was unconfigured" do
-        combined_config = CSP.combine_policies(Configuration.default.csp, script_src: %w(anothercdn.com))
-        csp = ContentSecurityPolicy.new(combined_config)
-        expect(csp.name).to eq(CSP::HEADER_NAME)
-        expect(csp.value).to eq("default-src https:; script-src https: anothercdn.com")
-      end
-
-      it "combines directives where the original value is nil and the hash is frozen" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w('self'),
-            report_only: false
-          }.freeze
-        end
-        report_uri = "https://report-uri.io/asdf"
-        combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: [report_uri])
-        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
-        expect(csp.value).to include("report-uri #{report_uri}")
-      end
-
-      it "does not combine the default-src value for directives that don't fall back to default sources" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w('self'),
-            report_only: false
-          }.freeze
-        end
-        non_default_source_additions = CSP::NON_DEFAULT_SOURCES.each_with_object({}) do |directive, hash|
-          hash[directive] = %w("http://example.org)
-        end
-        combined_config = CSP.combine_policies(Configuration.get.csp, non_default_source_additions)
-
-        CSP::NON_DEFAULT_SOURCES.each do |directive|
-          expect(combined_config[directive]).to eq(%w("http://example.org))
-        end
-
-         ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox]).value
-      end
-
-      it "overrides the report_only flag" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w('self'),
-            report_only: false
-          }
-        end
-        combined_config = CSP.combine_policies(Configuration.get.csp, report_only: true)
-        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
-        expect(csp.name).to eq(CSP::REPORT_ONLY)
-      end
-
-      it "overrides the :block_all_mixed_content flag" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w(https:),
-            block_all_mixed_content: false
-          }
-        end
-        combined_config = CSP.combine_policies(Configuration.get.csp, block_all_mixed_content: true)
-        csp = ContentSecurityPolicy.new(combined_config)
-        expect(csp.value).to eq("default-src https:; block-all-mixed-content")
-      end
-
-      it "raises an error if appending to a OPT_OUT policy" do
-        Configuration.default do |config|
-          config.csp = OPT_OUT
-        end
-        expect do
-          CSP.combine_policies(Configuration.get.csp, script_src: %w(anothercdn.com))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-    end
-
-    describe "#idempotent_additions?" do
-      specify { expect(ContentSecurityPolicy.idempotent_additions?(OPT_OUT, script_src: %w(b.com))).to be false }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(c.com))).to be false }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: %w(b.com))).to be false }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(a.com b.com c.com))).to be false }
-
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com))).to be true }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com a.com))).to be true }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w())).to be true }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: [nil])).to be true }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: [nil])).to be true }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: nil)).to be true }
-    end
-
     describe "#value" do
       it "discards 'none' values if any other source expressions are present" do
         csp = ContentSecurityPolicy.new(default_opts.merge(frame_src: %w('self' 'none')))

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -0,0 +1,190 @@
+require 'spec_helper'
+
+module SecureHeaders
+  describe PolicyManagement do
+    let (:default_opts) do
+      {
+        default_src: %w(https:),
+        img_src: %w(https: data:),
+        script_src: %w('unsafe-inline' 'unsafe-eval' https: data:),
+        style_src: %w('unsafe-inline' https: about:),
+        report_uri: %w(/csp_report)
+      }
+    end
+
+    describe "#validate_config!" do
+      it "accepts all keys" do
+        # (pulled from README)
+        config = {
+          # "meta" values. these will shaped the header, but the values are not included in the header.
+          report_only:  true,     # default: false
+          preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+
+          # directive values: these values will directly translate into source directives
+          default_src: %w(https: 'self'),
+          frame_src: %w('self' *.twimg.com itunes.apple.com),
+          connect_src: %w(wws:),
+          font_src: %w('self' data:),
+          img_src: %w(mycdn.com data:),
+          media_src: %w(utoob.com),
+          object_src: %w('self'),
+          script_src: %w('self'),
+          style_src: %w('unsafe-inline'),
+          base_uri: %w('self'),
+          child_src: %w('self'),
+          form_action: %w('self' github.com),
+          frame_ancestors: %w('none'),
+          plugin_types: %w(application/x-shockwave-flash),
+          block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
+          upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
+          report_uri: %w(https://example.com/uri-directive)
+        }
+
+        CSP.validate_config!(config)
+      end
+
+      it "requires a :default_src value" do
+        expect do
+          CSP.validate_config!(script_src: %('self'))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "requires :report_only to be a truthy value" do
+        expect do
+          CSP.validate_config!(default_opts.merge(report_only: "steve"))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "requires :preserve_schemes to be a truthy value" do
+        expect do
+          CSP.validate_config!(default_opts.merge(preserve_schemes: "steve"))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "requires :block_all_mixed_content to be a boolean value" do
+        expect do
+          CSP.validate_config!(default_opts.merge(block_all_mixed_content: "steve"))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "requires :upgrade_insecure_requests to be a boolean value" do
+        expect do
+          CSP.validate_config!(default_opts.merge(upgrade_insecure_requests: "steve"))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "requires all source lists to be an array of strings" do
+        expect do
+          CSP.validate_config!(default_src: "steve")
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "allows nil values" do
+        expect do
+          CSP.validate_config!(default_src: %w('self'), script_src: ["https:", nil])
+        end.to_not raise_error
+      end
+
+      it "rejects unknown directives / config" do
+        expect do
+          CSP.validate_config!(default_src: %w('self'), default_src_totally_mispelled: "steve")
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      # this is mostly to ensure people don't use the antiquated shorthands common in other configs
+      it "performs light validation on source lists" do
+        expect do
+          CSP.validate_config!(default_src: %w(self none inline eval))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+    end
+
+    describe "#combine_policies" do
+      it "combines the default-src value with the override if the directive was unconfigured" do
+        combined_config = CSP.combine_policies(Configuration.default.csp, script_src: %w(anothercdn.com))
+        csp = ContentSecurityPolicy.new(combined_config)
+        expect(csp.name).to eq(CSP::HEADER_NAME)
+        expect(csp.value).to eq("default-src https:; script-src https: anothercdn.com")
+      end
+
+      it "combines directives where the original value is nil and the hash is frozen" do
+        Configuration.default do |config|
+          config.csp = {
+            default_src: %w('self'),
+            report_only: false
+          }.freeze
+        end
+        report_uri = "https://report-uri.io/asdf"
+        combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: [report_uri])
+        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
+        expect(csp.value).to include("report-uri #{report_uri}")
+      end
+
+      it "does not combine the default-src value for directives that don't fall back to default sources" do
+        Configuration.default do |config|
+          config.csp = {
+            default_src: %w('self'),
+            report_only: false
+          }.freeze
+        end
+        non_default_source_additions = CSP::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
+          hash[directive] = %w("http://example.org)
+        end
+        combined_config = CSP.combine_policies(Configuration.get.csp, non_default_source_additions)
+
+        CSP::NON_FETCH_SOURCES.each do |directive|
+          expect(combined_config[directive]).to eq(%w("http://example.org))
+        end
+
+         ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox]).value
+      end
+
+      it "overrides the report_only flag" do
+        Configuration.default do |config|
+          config.csp = {
+            default_src: %w('self'),
+            report_only: false
+          }
+        end
+        combined_config = CSP.combine_policies(Configuration.get.csp, report_only: true)
+        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
+        expect(csp.name).to eq(CSP::REPORT_ONLY)
+      end
+
+      it "overrides the :block_all_mixed_content flag" do
+        Configuration.default do |config|
+          config.csp = {
+            default_src: %w(https:),
+            block_all_mixed_content: false
+          }
+        end
+        combined_config = CSP.combine_policies(Configuration.get.csp, block_all_mixed_content: true)
+        csp = ContentSecurityPolicy.new(combined_config)
+        expect(csp.value).to eq("default-src https:; block-all-mixed-content")
+      end
+
+      it "raises an error if appending to a OPT_OUT policy" do
+        Configuration.default do |config|
+          config.csp = OPT_OUT
+        end
+        expect do
+          CSP.combine_policies(Configuration.get.csp, script_src: %w(anothercdn.com))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+    end
+
+    describe "#idempotent_additions?" do
+      specify { expect(ContentSecurityPolicy.idempotent_additions?(OPT_OUT, script_src: %w(b.com))).to be false }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(c.com))).to be false }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: %w(b.com))).to be false }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(a.com b.com c.com))).to be false }
+
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com))).to be true }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com a.com))).to be true }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w())).to be true }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: [nil])).to be true }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: [nil])).to be true }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: nil)).to be true }
+    end
+  end
+end