secure_headers 3.5.1 → 3.6.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rspec +1 -0
- data/.ruby-version +1 -1
- data/.travis.yml +2 -0
- data/CHANGELOG.md +34 -1
- data/CODE_OF_CONDUCT.md +46 -0
- data/CONTRIBUTING.md +41 -0
- data/LICENSE +4 -199
- data/README.md +36 -384
- data/docs/HPKP.md +17 -0
- data/docs/cookies.md +50 -0
- data/docs/hashes.md +64 -0
- data/docs/named_overrides_and_appends.md +107 -0
- data/docs/per_action_configuration.md +105 -0
- data/docs/sinatra.md +25 -0
- data/lib/secure_headers/configuration.rb +24 -5
- data/lib/secure_headers/headers/clear_site_data.rb +54 -0
- data/lib/secure_headers/headers/content_security_policy.rb +2 -2
- data/lib/secure_headers/headers/content_security_policy_config.rb +45 -12
- data/lib/secure_headers/headers/policy_management.rb +22 -22
- data/lib/secure_headers/headers/public_key_pins.rb +1 -1
- data/lib/secure_headers/headers/referrer_policy.rb +1 -1
- data/lib/secure_headers/headers/strict_transport_security.rb +1 -1
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -1
- data/lib/secure_headers/headers/x_download_options.rb +1 -1
- data/lib/secure_headers/headers/x_frame_options.rb +1 -1
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +1 -1
- data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
- data/lib/secure_headers/view_helper.rb +2 -2
- data/lib/secure_headers.rb +5 -2
- data/secure_headers.gemspec +2 -2
- data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +86 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -8
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -0
- data/spec/lib/secure_headers/view_helpers_spec.rb +0 -1
- data/spec/lib/secure_headers_spec.rb +39 -4
- metadata +15 -4
|
@@ -95,9 +95,9 @@ module SecureHeaders
|
|
|
95
95
|
<<-EOF
|
|
96
96
|
\n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} ***
|
|
97
97
|
#{content}
|
|
98
|
-
*** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/
|
|
98
|
+
*** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/secure_headers_generated_hashes.yml:***
|
|
99
99
|
#{file_path}:
|
|
100
|
-
- #{hash_value}\n\n
|
|
100
|
+
- \"#{hash_value}\"\n\n
|
|
101
101
|
NOTE: dynamic javascript is not supported using script hash integration
|
|
102
102
|
on purpose. It defeats the point of using it in the first place.
|
|
103
103
|
EOF
|
data/lib/secure_headers.rb
CHANGED
|
@@ -10,6 +10,7 @@ require "secure_headers/headers/x_content_type_options"
|
|
|
10
10
|
require "secure_headers/headers/x_download_options"
|
|
11
11
|
require "secure_headers/headers/x_permitted_cross_domain_policies"
|
|
12
12
|
require "secure_headers/headers/referrer_policy"
|
|
13
|
+
require "secure_headers/headers/clear_site_data"
|
|
13
14
|
require "secure_headers/middleware"
|
|
14
15
|
require "secure_headers/railtie"
|
|
15
16
|
require "secure_headers/view_helper"
|
|
@@ -50,6 +51,7 @@ module SecureHeaders
|
|
|
50
51
|
CSP = ContentSecurityPolicy
|
|
51
52
|
|
|
52
53
|
ALL_HEADER_CLASSES = [
|
|
54
|
+
ClearSiteData,
|
|
53
55
|
ContentSecurityPolicyConfig,
|
|
54
56
|
ContentSecurityPolicyReportOnlyConfig,
|
|
55
57
|
StrictTransportSecurity,
|
|
@@ -161,7 +163,8 @@ module SecureHeaders
|
|
|
161
163
|
# returned is meant to be merged into the header value from `@app.call(env)`
|
|
162
164
|
# in Rack middleware.
|
|
163
165
|
def header_hash_for(request)
|
|
164
|
-
|
|
166
|
+
prevent_dup = true
|
|
167
|
+
config = config_for(request, prevent_dup)
|
|
165
168
|
headers = config.cached_headers
|
|
166
169
|
user_agent = UserAgent.parse(request.user_agent)
|
|
167
170
|
|
|
@@ -175,7 +178,7 @@ module SecureHeaders
|
|
|
175
178
|
|
|
176
179
|
header_classes_for(request).each_with_object({}) do |klass, hash|
|
|
177
180
|
if header = headers[klass::CONFIG_KEY]
|
|
178
|
-
header_name, value = if
|
|
181
|
+
header_name, value = if klass == ContentSecurityPolicyConfig || klass == ContentSecurityPolicyReportOnlyConfig
|
|
179
182
|
csp_header_for_ua(header, user_agent)
|
|
180
183
|
else
|
|
181
184
|
header
|
data/secure_headers.gemspec
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.
|
|
4
|
+
gem.version = "3.6.7"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
|
-
gem.description = '
|
|
7
|
+
gem.description = 'Manages application of security headers with many safe defaults.'
|
|
8
8
|
gem.summary = 'Add easily configured security headers to responses
|
|
9
9
|
including content-security-policy, x-frame-options,
|
|
10
10
|
strict-transport-security, etc.'
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
module SecureHeaders
|
|
4
|
+
describe ClearSiteData do
|
|
5
|
+
describe "make_header" do
|
|
6
|
+
it "returns nil with nil config" do
|
|
7
|
+
expect(described_class.make_header).to be_nil
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
it "returns nil with empty config" do
|
|
11
|
+
expect(described_class.make_header([])).to be_nil
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
it "returns nil with opt-out config" do
|
|
15
|
+
expect(described_class.make_header(OPT_OUT)).to be_nil
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
it "returns all types with `true` config" do
|
|
19
|
+
name, value = described_class.make_header(true)
|
|
20
|
+
|
|
21
|
+
expect(name).to eq(ClearSiteData::HEADER_NAME)
|
|
22
|
+
expect(value).to eq(
|
|
23
|
+
%("cache", "cookies", "storage", "executionContexts")
|
|
24
|
+
)
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
it "returns specified types" do
|
|
28
|
+
name, value = described_class.make_header(["foo", "bar"])
|
|
29
|
+
|
|
30
|
+
expect(name).to eq(ClearSiteData::HEADER_NAME)
|
|
31
|
+
expect(value).to eq(%("foo", "bar"))
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
describe "validate_config!" do
|
|
36
|
+
it "succeeds for `true` config" do
|
|
37
|
+
expect do
|
|
38
|
+
described_class.validate_config!(true)
|
|
39
|
+
end.not_to raise_error
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
it "succeeds for `nil` config" do
|
|
43
|
+
expect do
|
|
44
|
+
described_class.validate_config!(nil)
|
|
45
|
+
end.not_to raise_error
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
it "succeeds for opt-out config" do
|
|
49
|
+
expect do
|
|
50
|
+
described_class.validate_config!(OPT_OUT)
|
|
51
|
+
end.not_to raise_error
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
it "succeeds for empty config" do
|
|
55
|
+
expect do
|
|
56
|
+
described_class.validate_config!([])
|
|
57
|
+
end.not_to raise_error
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
it "succeeds for Array of Strings config" do
|
|
61
|
+
expect do
|
|
62
|
+
described_class.validate_config!(["foo"])
|
|
63
|
+
end.not_to raise_error
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
it "fails for Array of non-String config" do
|
|
67
|
+
expect do
|
|
68
|
+
described_class.validate_config!([1])
|
|
69
|
+
end.to raise_error(ClearSiteDataConfigError)
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
it "fails for other types of config" do
|
|
73
|
+
expect do
|
|
74
|
+
described_class.validate_config!(:cookies)
|
|
75
|
+
end.to raise_error(ClearSiteDataConfigError)
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
describe "make_header_value" do
|
|
80
|
+
it "returns a string of quoted values that are comma separated" do
|
|
81
|
+
value = described_class.make_header_value(["foo", "bar"])
|
|
82
|
+
expect(value).to eq(%("foo", "bar"))
|
|
83
|
+
end
|
|
84
|
+
end
|
|
85
|
+
end
|
|
86
|
+
end
|
|
@@ -86,8 +86,8 @@ module SecureHeaders
|
|
|
86
86
|
expect(csp.value).to eq("default-src example.org")
|
|
87
87
|
end
|
|
88
88
|
|
|
89
|
-
it "
|
|
90
|
-
expect(Kernel).
|
|
89
|
+
it "does not emit a warning when using frame-src" do
|
|
90
|
+
expect(Kernel).to_not receive(:warn)
|
|
91
91
|
ContentSecurityPolicy.new(default_src: %w('self'), frame_src: %w('self')).value
|
|
92
92
|
end
|
|
93
93
|
|
|
@@ -119,7 +119,6 @@ module SecureHeaders
|
|
|
119
119
|
end.merge({
|
|
120
120
|
block_all_mixed_content: true,
|
|
121
121
|
upgrade_insecure_requests: true,
|
|
122
|
-
reflected_xss: "block",
|
|
123
122
|
script_src: %w(script-src.com),
|
|
124
123
|
script_nonce: 123456
|
|
125
124
|
})
|
|
@@ -127,22 +126,22 @@ module SecureHeaders
|
|
|
127
126
|
|
|
128
127
|
it "does not filter any directives for Chrome" do
|
|
129
128
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
|
|
130
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
129
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
131
130
|
end
|
|
132
131
|
|
|
133
132
|
it "does not filter any directives for Opera" do
|
|
134
133
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
|
|
135
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
134
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
136
135
|
end
|
|
137
136
|
|
|
138
137
|
it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
|
|
139
138
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
|
|
140
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
139
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
141
140
|
end
|
|
142
141
|
|
|
143
142
|
it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
|
|
144
143
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
|
|
145
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
144
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
146
145
|
end
|
|
147
146
|
|
|
148
147
|
it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
|
|
@@ -155,11 +154,16 @@ module SecureHeaders
|
|
|
155
154
|
expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
|
|
156
155
|
end
|
|
157
156
|
|
|
157
|
+
it "adds 'unsafe-inline', filters blocked-all-mixed-content, upgrade-insecure-requests, nonce sources, and hash sources for safari 10 and higher" do
|
|
158
|
+
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
|
|
159
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
|
|
160
|
+
end
|
|
161
|
+
|
|
158
162
|
it "falls back to standard Firefox defaults when the useragent version is not present" do
|
|
159
163
|
ua = USER_AGENTS[:firefox].dup
|
|
160
164
|
allow(ua).to receive(:version).and_return(nil)
|
|
161
165
|
policy = ContentSecurityPolicy.new(complex_opts, ua)
|
|
162
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
166
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
163
167
|
end
|
|
164
168
|
end
|
|
165
169
|
end
|
|
@@ -105,7 +105,7 @@ module SecureHeaders
|
|
|
105
105
|
end
|
|
106
106
|
|
|
107
107
|
it "produces a UA-specific CSP when overriding (and busting the cache)" do
|
|
108
|
-
|
|
108
|
+
Configuration.default do |config|
|
|
109
109
|
config.csp = {
|
|
110
110
|
default_src: %w('self'),
|
|
111
111
|
child_src: %w('self')
|
|
@@ -173,6 +173,33 @@ module SecureHeaders
|
|
|
173
173
|
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
|
|
174
174
|
end
|
|
175
175
|
|
|
176
|
+
it "appends child-src to frame-src" do
|
|
177
|
+
Configuration.default do |config|
|
|
178
|
+
config.csp = {
|
|
179
|
+
default_src: %w('self'),
|
|
180
|
+
frame_src: %w(frame_src.com)
|
|
181
|
+
}
|
|
182
|
+
end
|
|
183
|
+
|
|
184
|
+
SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
|
|
185
|
+
hash = SecureHeaders.header_hash_for(chrome_request)
|
|
186
|
+
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; child-src frame_src.com child_src.com")
|
|
187
|
+
end
|
|
188
|
+
|
|
189
|
+
it "appends frame-src to child-src" do
|
|
190
|
+
Configuration.default do |config|
|
|
191
|
+
config.csp = {
|
|
192
|
+
default_src: %w('self'),
|
|
193
|
+
child_src: %w(child_src.com)
|
|
194
|
+
}
|
|
195
|
+
end
|
|
196
|
+
|
|
197
|
+
safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari6]))
|
|
198
|
+
SecureHeaders.append_content_security_policy_directives(safari_request, frame_src: %w(frame_src.com))
|
|
199
|
+
hash = SecureHeaders.header_hash_for(safari_request)
|
|
200
|
+
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src child_src.com frame_src.com")
|
|
201
|
+
end
|
|
202
|
+
|
|
176
203
|
it "supports named appends" do
|
|
177
204
|
Configuration.default do |config|
|
|
178
205
|
config.csp = {
|
|
@@ -204,7 +231,7 @@ module SecureHeaders
|
|
|
204
231
|
|
|
205
232
|
SecureHeaders.content_security_policy_script_nonce(request) # should add the value to the header
|
|
206
233
|
hash = SecureHeaders.header_hash_for(chrome_request)
|
|
207
|
-
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match
|
|
234
|
+
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/)
|
|
208
235
|
end
|
|
209
236
|
|
|
210
237
|
it "appends a hash to a missing script-src value" do
|
|
@@ -216,7 +243,7 @@ module SecureHeaders
|
|
|
216
243
|
|
|
217
244
|
SecureHeaders.append_content_security_policy_directives(request, script_src: %w('sha256-abc123'))
|
|
218
245
|
hash = SecureHeaders.header_hash_for(chrome_request)
|
|
219
|
-
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match
|
|
246
|
+
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/)
|
|
220
247
|
end
|
|
221
248
|
|
|
222
249
|
it "overrides individual directives" do
|
|
@@ -252,7 +279,7 @@ module SecureHeaders
|
|
|
252
279
|
end
|
|
253
280
|
|
|
254
281
|
safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
|
|
255
|
-
|
|
282
|
+
SecureHeaders.content_security_policy_script_nonce(safari_request)
|
|
256
283
|
hash = SecureHeaders.header_hash_for(safari_request)
|
|
257
284
|
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
|
|
258
285
|
end
|
|
@@ -530,6 +557,14 @@ module SecureHeaders
|
|
|
530
557
|
end.to raise_error(XContentTypeOptionsConfigError)
|
|
531
558
|
end
|
|
532
559
|
|
|
560
|
+
it "validates your clear site data config upon configuration" do
|
|
561
|
+
expect do
|
|
562
|
+
Configuration.default do |config|
|
|
563
|
+
config.clear_site_data = 1
|
|
564
|
+
end
|
|
565
|
+
end.to raise_error(ClearSiteDataConfigError)
|
|
566
|
+
end
|
|
567
|
+
|
|
533
568
|
it "validates your x_xss config upon configuration" do
|
|
534
569
|
expect do
|
|
535
570
|
Configuration.default do |config|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.6.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2017-07-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -38,7 +38,7 @@ dependencies:
|
|
|
38
38
|
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0'
|
|
41
|
-
description:
|
|
41
|
+
description: Manages application of security headers with many safe defaults.
|
|
42
42
|
email:
|
|
43
43
|
- neil.matatall@gmail.com
|
|
44
44
|
executables: []
|
|
@@ -53,14 +53,23 @@ files:
|
|
|
53
53
|
- ".ruby-version"
|
|
54
54
|
- ".travis.yml"
|
|
55
55
|
- CHANGELOG.md
|
|
56
|
+
- CODE_OF_CONDUCT.md
|
|
57
|
+
- CONTRIBUTING.md
|
|
56
58
|
- Gemfile
|
|
57
59
|
- Guardfile
|
|
58
60
|
- LICENSE
|
|
59
61
|
- README.md
|
|
60
62
|
- Rakefile
|
|
63
|
+
- docs/HPKP.md
|
|
64
|
+
- docs/cookies.md
|
|
65
|
+
- docs/hashes.md
|
|
66
|
+
- docs/named_overrides_and_appends.md
|
|
67
|
+
- docs/per_action_configuration.md
|
|
68
|
+
- docs/sinatra.md
|
|
61
69
|
- lib/secure_headers.rb
|
|
62
70
|
- lib/secure_headers/configuration.rb
|
|
63
71
|
- lib/secure_headers/hash_helper.rb
|
|
72
|
+
- lib/secure_headers/headers/clear_site_data.rb
|
|
64
73
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
65
74
|
- lib/secure_headers/headers/content_security_policy_config.rb
|
|
66
75
|
- lib/secure_headers/headers/cookie.rb
|
|
@@ -80,6 +89,7 @@ files:
|
|
|
80
89
|
- lib/tasks/tasks.rake
|
|
81
90
|
- secure_headers.gemspec
|
|
82
91
|
- spec/lib/secure_headers/configuration_spec.rb
|
|
92
|
+
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
|
83
93
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
84
94
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
85
95
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
|
@@ -116,13 +126,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
116
126
|
version: '0'
|
|
117
127
|
requirements: []
|
|
118
128
|
rubyforge_project:
|
|
119
|
-
rubygems_version: 2.
|
|
129
|
+
rubygems_version: 2.5.2
|
|
120
130
|
signing_key:
|
|
121
131
|
specification_version: 4
|
|
122
132
|
summary: Add easily configured security headers to responses including content-security-policy,
|
|
123
133
|
x-frame-options, strict-transport-security, etc.
|
|
124
134
|
test_files:
|
|
125
135
|
- spec/lib/secure_headers/configuration_spec.rb
|
|
136
|
+
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
|
126
137
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
127
138
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
128
139
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|