secure_headers 3.1.2 → 3.2.0

data/lib/secure_headers/view_helper.rb

@@ -1,5 +1,10 @@
 module SecureHeaders
   module ViewHelpers
+    include SecureHeaders::HashHelper
+    SECURE_HEADERS_RAKE_TASK = "rake secure_headers:generate_hashes"
+
+    class UnexpectedHashedScriptException < StandardError; end
+
     # Public: create a style tag using the content security policy nonce.
     # Instructs secure_headers to append a nonce to style/script-src directives.
     #
@@ -29,8 +34,67 @@ module SecureHeaders
       end
     end
 
+    ##
+    # Checks to see if the hashed code is expected and adds the hash source
+    # value to the current CSP.
+    #
+    # By default, in development/test/etc. an exception will be raised.
+    def hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block)
+      hashed_tag(
+        :script,
+        :script_src,
+        Configuration.instance_variable_get(:@script_hashes),
+        raise_error_on_unrecognized_hash,
+        block
+      )
+    end
+
+    def hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block)
+      hashed_tag(
+        :style,
+        :style_src,
+        Configuration.instance_variable_get(:@style_hashes),
+        raise_error_on_unrecognized_hash,
+        block
+      )
+    end
+
     private
 
+    def hashed_tag(type, directive, hashes, raise_error_on_unrecognized_hash, block)
+      if raise_error_on_unrecognized_hash.nil?
+        raise_error_on_unrecognized_hash = ENV["RAILS_ENV"] != "production"
+      end
+
+      content = capture(&block)
+      file_path = File.join('app', 'views', self.instance_variable_get(:@virtual_path) + '.html.erb')
+
+      if raise_error_on_unrecognized_hash
+        hash_value = hash_source(content)
+        message = unexpected_hash_error_message(file_path, content, hash_value)
+
+        if hashes.nil? || hashes[file_path].nil? || !hashes[file_path].include?(hash_value)
+          raise UnexpectedHashedScriptException.new(message)
+        end
+      end
+
+      SecureHeaders.append_content_security_policy_directives(request, directive => hashes[file_path])
+
+      content_tag type, content
+    end
+
+    def unexpected_hash_error_message(file_path, content, hash_value)
+      <<-EOF
+\n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} ***
+#{content}
+*** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/script_hashes.yml:***
+#{file_path}:
+- #{hash_value}\n\n
+      NOTE: dynamic javascript is not supported using script hash integration
+      on purpose. It defeats the point of using it in the first place.
+      EOF
+    end
+
     def nonced_tag(type, content_or_options, block)
       options = {}
       content = if block

data/lib/secure_headers.rb

@@ -1,4 +1,6 @@
 require "secure_headers/configuration"
+require "secure_headers/hash_helper"
+require "secure_headers/headers/cookie"
 require "secure_headers/headers/public_key_pins"
 require "secure_headers/headers/content_security_policy"
 require "secure_headers/headers/x_frame_options"

data/lib/tasks/tasks.rake

@@ -0,0 +1,81 @@
+INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx
+INLINE_STYLE_REGEX = /(<style[^>]*>)(.*?)<\/style>/mx
+INLINE_HASH_SCRIPT_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
+INLINE_HASH_STYLE_HELPER_REGEX = /<%=\s?hashed_style_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
+
+namespace :secure_headers do
+  include SecureHeaders::HashHelper
+
+  def is_erb?(filename)
+    filename =~ /\.erb\Z/
+  end
+
+  def is_mustache?(filename)
+    filename =~ /\.mustache\Z/
+  end
+
+  def dynamic_content?(filename, inline_script)
+    (is_mustache?(filename) && inline_script =~ /\{\{.*\}\}/) ||
+      (is_erb?(filename) && inline_script =~ /<%.*%>/)
+  end
+
+  def find_inline_content(filename, regex, hashes)
+    file = File.read(filename)
+    file.scan(regex) do # TODO don't use gsub
+      inline_script = Regexp.last_match.captures.last
+      if dynamic_content?(filename, inline_script)
+        puts "Looks like there's some dynamic content inside of a tag :-/"
+        puts "That pretty much means the hash value will never match."
+        puts "Code: " + inline_script
+        puts "=" * 20
+      end
+
+      hashes << hash_source(inline_script)
+    end
+  end
+
+  def generate_inline_script_hashes(filename)
+    hashes = []
+
+    [INLINE_SCRIPT_REGEX, INLINE_HASH_SCRIPT_HELPER_REGEX].each do |regex|
+      find_inline_content(filename, regex, hashes)
+    end
+
+    hashes
+  end
+
+  def generate_inline_style_hashes(filename)
+    hashes = []
+
+    [INLINE_STYLE_REGEX, INLINE_HASH_STYLE_HELPER_REGEX].each do |regex|
+      find_inline_content(filename, regex, hashes)
+    end
+
+    hashes
+  end
+
+  task :generate_hashes do |t, args|
+    script_hashes = {
+      "scripts" => {},
+      "styles" => {}
+    }
+
+    Dir.glob("app/{views,templates}/**/*.{erb,mustache}") do |filename|
+      hashes = generate_inline_script_hashes(filename)
+      if hashes.any?
+        script_hashes["scripts"][filename] = hashes
+      end
+
+      hashes = generate_inline_style_hashes(filename)
+      if hashes.any?
+        script_hashes["styles"][filename] = hashes
+      end
+    end
+
+    File.open(SecureHeaders::Configuration::HASH_CONFIG_FILE, 'w') do |file|
+      file.write(script_hashes.to_yaml)
+    end
+
+    puts "Script hashes from " + script_hashes.keys.size.to_s + " files added to #{SecureHeaders::Configuration::HASH_CONFIG_FILE}"
+  end
+end

data/secure_headers.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.1.2"
+  gem.version       = "3.2.0"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers/configuration_spec.rb

@@ -36,7 +36,7 @@ module SecureHeaders
 
       config = Configuration.get(:test_override)
       noop = Configuration.get(Configuration::NOOP_CONFIGURATION)
-      [:csp, :dynamic_csp, :secure_cookies].each do |key|
+      [:csp, :dynamic_csp, :cookies].each do |key|
         expect(config.send(key)).to eq(noop.send(key)), "Value not copied: #{key}."
       end
     end
@@ -82,5 +82,13 @@ module SecureHeaders
       override_config = Configuration.get(:second_override)
       expect(override_config.csp).to eq(default_src: %w('self'), script_src: %w(example.org))
     end
+
+    it "deprecates the secure_cookies configuration" do
+      expect(Kernel).to receive(:warn).with(/\[DEPRECATION\]/)
+
+      Configuration.default do |config|
+        config.secure_cookies = true
+      end
+    end
   end
 end

data/spec/lib/secure_headers/headers/cookie_spec.rb

@@ -0,0 +1,164 @@
+require 'spec_helper'
+
+module SecureHeaders
+  describe Cookie do
+    let(:raw_cookie) { "_session=thisisatest" }
+
+    it "does not tamper with cookies when unconfigured" do
+      cookie = Cookie.new(raw_cookie, {})
+      expect(cookie.to_s).to eq(raw_cookie)
+    end
+
+    it "preserves existing attributes" do
+      cookie = Cookie.new("_session=thisisatest; secure", secure: true)
+      expect(cookie.to_s).to eq("_session=thisisatest; secure")
+    end
+
+    it "prevents duplicate flagging of attributes" do
+      cookie = Cookie.new("_session=thisisatest; secure", secure: true)
+      expect(cookie.to_s.scan(/secure/i).count).to eq(1)
+    end
+
+    context "Secure cookies" do
+      context "when configured with a boolean" do
+        it "flags cookies as Secure" do
+          cookie = Cookie.new(raw_cookie, secure: true)
+          expect(cookie.to_s).to eq("_session=thisisatest; secure")
+        end
+      end
+
+      context "when configured with a Hash" do
+        it "flags cookies as Secure when whitelisted" do
+          cookie = Cookie.new(raw_cookie, secure: { only: ["_session"]})
+          expect(cookie.to_s).to eq("_session=thisisatest; secure")
+        end
+
+        it "does not flag cookies as Secure when excluded" do
+          cookie = Cookie.new(raw_cookie, secure: { except: ["_session"] })
+          expect(cookie.to_s).to eq("_session=thisisatest")
+        end
+      end
+    end
+
+    context "HttpOnly cookies" do
+      context "when configured with a boolean" do
+        it "flags cookies as HttpOnly" do
+          cookie = Cookie.new(raw_cookie, httponly: true)
+          expect(cookie.to_s).to eq("_session=thisisatest; HttpOnly")
+        end
+      end
+
+      context "when configured with a Hash" do
+        it "flags cookies as HttpOnly when whitelisted" do
+          cookie = Cookie.new(raw_cookie, httponly: { only: ["_session"]})
+          expect(cookie.to_s).to eq("_session=thisisatest; HttpOnly")
+        end
+
+        it "does not flag cookies as HttpOnly when excluded" do
+          cookie = Cookie.new(raw_cookie, httponly: { except: ["_session"] })
+          expect(cookie.to_s).to eq("_session=thisisatest")
+        end
+      end
+    end
+
+    context "SameSite cookies" do
+      it "flags SameSite=Lax" do
+        cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } })
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
+      end
+
+      it "flags SameSite=Lax when configured with a boolean" do
+        cookie = Cookie.new(raw_cookie, samesite: { lax: true})
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
+      end
+
+      it "does not flag cookies as SameSite=Lax when excluded" do
+        cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } })
+        expect(cookie.to_s).to eq("_session=thisisatest")
+      end
+
+      it "flags SameSite=Strict" do
+        cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } })
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
+      end
+
+      it "does not flag cookies as SameSite=Strict when excluded" do
+        cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] } })
+        expect(cookie.to_s).to eq("_session=thisisatest")
+      end
+
+      it "flags SameSite=Strict when configured with a boolean" do
+        cookie = Cookie.new(raw_cookie, samesite: { strict: true})
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
+      end
+
+      it "flags properly when both lax and strict are configured" do
+        raw_cookie = "_session=thisisatest"
+        cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] }, lax: { only: ["_additional_session"] } })
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
+      end
+
+      it "ignores configuration if the cookie is already flagged" do
+        raw_cookie = "_session=thisisatest; SameSite=Strict"
+        cookie = Cookie.new(raw_cookie, samesite: { lax: true })
+        expect(cookie.to_s).to eq(raw_cookie)
+      end
+    end
+  end
+
+  context "with an invalid configuration" do
+    it "raises an exception when not configured with a Hash" do
+      expect do
+        Cookie.validate_config!("configuration")
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when configured without a boolean/Hash" do
+      expect do
+        Cookie.validate_config!(secure: "true")
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when both only and except filters are provided" do
+      expect do
+        Cookie.validate_config!(secure: { only: [], except: [] })
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when SameSite is not configured with a Hash" do
+      expect do
+        Cookie.validate_config!(samesite: true)
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
+      expect do
+        Cookie.validate_config!(samesite: { lax: true, strict: true})
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
+      expect do
+        Cookie.validate_config!(samesite: { lax: true, strict: { only: ["_anything"] } })
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when both only and except filters are provided to SameSite configurations" do
+      expect do
+        Cookie.validate_config!(samesite: { lax: { only: ["_anything"], except: ["_anythingelse"] } })
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when both lax and strict only filters are provided to SameSite configurations" do
+      expect do
+        Cookie.validate_config!(samesite: { lax: { only: ["_anything"] }, strict: { only: ["_anything"] } })
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when both lax and strict only filters are provided to SameSite configurations" do
+      expect do
+        Cookie.validate_config!(samesite: { lax: { except: ["_anything"] }, strict: { except: ["_anything"] } })
+      end.to raise_error(CookiesConfigError)
+    end
+  end
+end

data/spec/lib/secure_headers/middleware_spec.rb

@@ -10,9 +10,7 @@ module SecureHeaders
 
     before(:each) do
       reset_config
-      Configuration.default do |config|
-        # use all default provided by the library
-      end
+      Configuration.default
     end
 
     it "sets the headers" do
@@ -38,21 +36,56 @@ module SecureHeaders
       expect(env[CSP::HEADER_NAME]).to match("example.org")
     end
 
-    context "cookies should be flagged" do
-      it "flags cookies as secure" do
-        Configuration.default { |config| config.secure_cookies = true }
-        request = Rack::MockRequest.new(cookie_middleware)
-        response = request.get '/'
-        expect(response.headers['Set-Cookie']).to match(Middleware::SECURE_COOKIE_REGEXP)
+    context "secure_cookies" do
+      context "cookies should be flagged" do
+        it "flags cookies as secure" do
+          capture_warning do
+            Configuration.default { |config| config.secure_cookies = true }
+          end
+          request = Rack::Request.new("HTTPS" => "on")
+          _, env = cookie_middleware.call request.env
+          expect(env['Set-Cookie']).to eq("foo=bar; secure")
+        end
+      end
+
+      context "cookies should not be flagged" do
+        it "does not flags cookies as secure" do
+          capture_warning do
+            Configuration.default { |config| config.secure_cookies = false }
+          end
+          request = Rack::Request.new("HTTPS" => "on")
+          _, env = cookie_middleware.call request.env
+          expect(env['Set-Cookie']).to eq("foo=bar")
+        end
       end
     end
 
-    context "cookies should not be flagged" do
-      it "does not flags cookies as secure" do
-        Configuration.default { |config| config.secure_cookies = false }
-        request = Rack::MockRequest.new(cookie_middleware)
-        response = request.get '/'
-        expect(response.headers['Set-Cookie']).not_to match(Middleware::SECURE_COOKIE_REGEXP)
+    context "cookies" do
+      it "flags cookies from configuration" do
+        Configuration.default { |config| config.cookies = { secure: true, httponly: true } }
+        request = Rack::Request.new("HTTPS" => "on")
+        _, env = cookie_middleware.call request.env
+
+        expect(env['Set-Cookie']).to eq("foo=bar; secure; HttpOnly")
+      end
+
+      it "flags cookies with a combination of SameSite configurations" do
+        cookie_middleware = Middleware.new(lambda { |env| [200, env.merge("Set-Cookie" => ["_session=foobar", "_guest=true"]), "app"] })
+
+        Configuration.default { |config| config.cookies = { samesite: { lax: { except: ["_session"] }, strict: { only: ["_session"] } } } }
+        request = Rack::Request.new("HTTPS" => "on")
+        _, env = cookie_middleware.call request.env
+
+        expect(env['Set-Cookie']).to match("_session=foobar; SameSite=Strict")
+        expect(env['Set-Cookie']).to match("_guest=true; SameSite=Lax")
+      end
+
+      it "disables secure cookies for non-https requests" do
+        Configuration.default { |config| config.cookies = { secure: true } }
+
+        request = Rack::Request.new("HTTPS" => "off")
+        _, env = cookie_middleware.call request.env
+        expect(env['Set-Cookie']).to eq("foo=bar")
       end
     end
   end

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -0,0 +1,125 @@
+require "spec_helper"
+require "erb"
+
+class Message < ERB
+  include SecureHeaders::ViewHelpers
+
+  def self.template
+<<-TEMPLATE
+<% hashed_javascript_tag(raise_error_on_unrecognized_hash = true) do %>
+  console.log(1)
+<% end %>
+
+<% hashed_style_tag do %>
+  body {
+    background-color: black;
+  }
+<% end %>
+
+<% nonced_javascript_tag do %>
+  body {
+    console.log(1)
+  }
+<% end %>
+
+<% nonced_style_tag do %>
+  body {
+    background-color: black;
+  }
+<% end %>
+<%= @name %>
+
+TEMPLATE
+  end
+
+  def initialize(request, options = {})
+    @virtual_path = "/asdfs/index"
+    @_request = request
+    @template = self.class.template
+    super(@template)
+  end
+
+  def capture(*args)
+    yield(*args)
+  end
+
+  def content_tag(type, content = nil, options = nil, &block)
+    content = if block_given?
+      capture(block)
+    end
+
+    if options.is_a?(Hash)
+      options = options.map {|k,v| " #{k}=#{v}"}
+    end
+    "<#{type}#{options}>#{content}</#{type}>"
+  end
+
+  def result
+    super(binding)
+  end
+
+  def request
+    @_request
+  end
+end
+
+module SecureHeaders
+  describe ViewHelpers do
+    let(:app) { lambda { |env| [200, env, "app"] } }
+    let(:middleware) { Middleware.new(app) }
+    let(:request) { Rack::Request.new("HTTP_USER_AGENT" => USER_AGENTS[:chrome]) }
+    let(:filename) { "app/views/asdfs/index.html.erb" }
+
+    before(:all) do
+      Configuration.default do |config|
+        config.csp[:script_src] = %w('self')
+        config.csp[:style_src] = %w('self')
+      end
+    end
+
+    after(:each) do
+      Configuration.instance_variable_set(:@script_hashes, nil)
+      Configuration.instance_variable_set(:@style_hashes, nil)
+    end
+
+    it "raises an error when using hashed content without precomputed hashes" do
+      expect {
+        Message.new(request).result
+      }.to raise_error(ViewHelpers::UnexpectedHashedScriptException)
+    end
+
+    it "raises an error when using hashed content with precomputed hashes, but none for the given file" do
+      Configuration.instance_variable_set(:@script_hashes, filename.reverse => ["'sha256-123'"])
+      expect {
+        Message.new(request).result
+      }.to raise_error(ViewHelpers::UnexpectedHashedScriptException)
+    end
+
+    it "raises an error when using previously unknown hashed content with precomputed hashes for a given file" do
+      Configuration.instance_variable_set(:@script_hashes, filename => ["'sha256-123'"])
+      expect {
+        Message.new(request).result
+      }.to raise_error(ViewHelpers::UnexpectedHashedScriptException)
+    end
+
+    it "adds known hash values to the corresponding headers when the helper is used" do
+      begin
+        allow(SecureRandom).to receive(:base64).and_return("abc123")
+
+        expected_hash = "sha256-3/URElR9+3lvLIouavYD/vhoICSNKilh15CzI/nKqg8="
+        Configuration.instance_variable_set(:@script_hashes, filename => ["'#{expected_hash}'"])
+        expected_style_hash = "sha256-7oYK96jHg36D6BM042er4OfBnyUDTG3pH1L8Zso3aGc="
+        Configuration.instance_variable_set(:@style_hashes, filename => ["'#{expected_style_hash}'"])
+
+        # render erb that calls out to helpers.
+        Message.new(request).result
+        _, env = middleware.call request.env
+
+        expect(env[CSP::HEADER_NAME]).to match(/script-src[^;]*'#{Regexp.escape(expected_hash)}'/)
+        expect(env[CSP::HEADER_NAME]).to match(/script-src[^;]*'nonce-abc123'/)
+        expect(env[CSP::HEADER_NAME]).to match(/style-src[^;]*'nonce-abc123'/)
+        expect(env[CSP::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -45,3 +45,15 @@ end
 def reset_config
   SecureHeaders::Configuration.clear_configurations
 end
+
+def capture_warning
+  begin
+    old_stderr = $stderr
+    $stderr = StringIO.new
+    yield
+    result = $stderr.string
+  ensure
+    $stderr = old_stderr
+  end
+  result
+end

data/upgrading-to-3-0.md

@@ -8,6 +8,7 @@ Changes
 | Global configuration             | `SecureHeaders::Configuration.configure` block             | `SecureHeaders::Configuration.default` block                                                                                                                                 |
 | All headers besides HPKP and CSP | Accept hashes as config values                           | Must be strings (validated during configuration)                                                                                                                                                            |
 | CSP directive values             | Accepted space delimited strings OR arrays of strings    | Must be arrays of strings                                                                                                                                                  |
+| CSP Nonce values in views             | `@content_security_policy_nonce`    | `content_security_policy_script_nonce` or `content_security_policy_style_nonce`
 | `self`/`none` source expressions     | could be `self` / `none` / `'self'` / `'none'`                   | Must be `'self'` or `'none'`                                                                                                                                                   |
 | `inline` / `eval` source expressions | could be `inline`, `eval`, `'unsafe-inline'`, or `'unsafe-eval'` | Must be `'unsafe-eval'` or `'unsafe-inline'`                                                                                                                                   |
 | Per-action configuration         | override [`def secure_header_options_for(header, options)`](https://github.com/twitter/secureheaders/commit/bb9ebc6c12a677aad29af8e0f08ffd1def56efec#diff-04c6e90faac2675aa89e2176d2eec7d8R111)  | Use [named overrides](https://github.com/twitter/secureheaders#named-overrides) or [per-action helpers](https://github.com/twitter/secureheaders#per-action-configuration) |

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.1.2
+  version: 3.2.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-30 00:00:00.000000000 Z
+date: 2016-04-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -58,7 +58,9 @@ files:
 - Rakefile
 - lib/secure_headers.rb
 - lib/secure_headers/configuration.rb
+- lib/secure_headers/hash_helper.rb
 - lib/secure_headers/headers/content_security_policy.rb
+- lib/secure_headers/headers/cookie.rb
 - lib/secure_headers/headers/policy_management.rb
 - lib/secure_headers/headers/public_key_pins.rb
 - lib/secure_headers/headers/strict_transport_security.rb
@@ -69,10 +71,13 @@ files:
 - lib/secure_headers/headers/x_xss_protection.rb
 - lib/secure_headers/middleware.rb
 - lib/secure_headers/railtie.rb
+- lib/secure_headers/utils/cookies_config.rb
 - lib/secure_headers/view_helper.rb
+- lib/tasks/tasks.rake
 - secure_headers.gemspec
 - spec/lib/secure_headers/configuration_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
+- spec/lib/secure_headers/headers/cookie_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
@@ -82,6 +87,7 @@ files:
 - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
 - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
 - spec/lib/secure_headers/middleware_spec.rb
+- spec/lib/secure_headers/view_helpers_spec.rb
 - spec/lib/secure_headers_spec.rb
 - spec/spec_helper.rb
 - upgrading-to-3-0.md
@@ -113,6 +119,7 @@ summary: Add easily configured security headers to responses including content-s
 test_files:
 - spec/lib/secure_headers/configuration_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
+- spec/lib/secure_headers/headers/cookie_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
@@ -122,5 +129,6 @@ test_files:
 - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
 - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
 - spec/lib/secure_headers/middleware_spec.rb
+- spec/lib/secure_headers/view_helpers_spec.rb
 - spec/lib/secure_headers_spec.rb
 - spec/spec_helper.rb