secure_headers 3.5.1 → 3.6.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. checksums.yaml +4 -4
  2. data/.rspec +1 -0
  3. data/.ruby-version +1 -1
  4. data/.travis.yml +2 -0
  5. data/CHANGELOG.md +34 -1
  6. data/CODE_OF_CONDUCT.md +46 -0
  7. data/CONTRIBUTING.md +41 -0
  8. data/LICENSE +4 -199
  9. data/README.md +36 -384
  10. data/docs/HPKP.md +17 -0
  11. data/docs/cookies.md +50 -0
  12. data/docs/hashes.md +64 -0
  13. data/docs/named_overrides_and_appends.md +107 -0
  14. data/docs/per_action_configuration.md +105 -0
  15. data/docs/sinatra.md +25 -0
  16. data/lib/secure_headers/configuration.rb +24 -5
  17. data/lib/secure_headers/headers/clear_site_data.rb +54 -0
  18. data/lib/secure_headers/headers/content_security_policy.rb +2 -2
  19. data/lib/secure_headers/headers/content_security_policy_config.rb +45 -12
  20. data/lib/secure_headers/headers/policy_management.rb +22 -22
  21. data/lib/secure_headers/headers/public_key_pins.rb +1 -1
  22. data/lib/secure_headers/headers/referrer_policy.rb +1 -1
  23. data/lib/secure_headers/headers/strict_transport_security.rb +1 -1
  24. data/lib/secure_headers/headers/x_content_type_options.rb +1 -1
  25. data/lib/secure_headers/headers/x_download_options.rb +1 -1
  26. data/lib/secure_headers/headers/x_frame_options.rb +1 -1
  27. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +1 -1
  28. data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
  29. data/lib/secure_headers/view_helper.rb +2 -2
  30. data/lib/secure_headers.rb +5 -2
  31. data/secure_headers.gemspec +2 -2
  32. data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +86 -0
  33. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -8
  34. data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -0
  35. data/spec/lib/secure_headers/view_helpers_spec.rb +0 -1
  36. data/spec/lib/secure_headers_spec.rb +39 -4
  37. metadata +15 -4
@@ -95,9 +95,9 @@ module SecureHeaders
95
95
  <<-EOF
96
96
  \n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} ***
97
97
  #{content}
98
- *** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/script_hashes.yml:***
98
+ *** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/secure_headers_generated_hashes.yml:***
99
99
  #{file_path}:
100
- - #{hash_value}\n\n
100
+ - \"#{hash_value}\"\n\n
101
101
  NOTE: dynamic javascript is not supported using script hash integration
102
102
  on purpose. It defeats the point of using it in the first place.
103
103
  EOF
@@ -10,6 +10,7 @@ require "secure_headers/headers/x_content_type_options"
10
10
  require "secure_headers/headers/x_download_options"
11
11
  require "secure_headers/headers/x_permitted_cross_domain_policies"
12
12
  require "secure_headers/headers/referrer_policy"
13
+ require "secure_headers/headers/clear_site_data"
13
14
  require "secure_headers/middleware"
14
15
  require "secure_headers/railtie"
15
16
  require "secure_headers/view_helper"
@@ -50,6 +51,7 @@ module SecureHeaders
50
51
  CSP = ContentSecurityPolicy
51
52
 
52
53
  ALL_HEADER_CLASSES = [
54
+ ClearSiteData,
53
55
  ContentSecurityPolicyConfig,
54
56
  ContentSecurityPolicyReportOnlyConfig,
55
57
  StrictTransportSecurity,
@@ -161,7 +163,8 @@ module SecureHeaders
161
163
  # returned is meant to be merged into the header value from `@app.call(env)`
162
164
  # in Rack middleware.
163
165
  def header_hash_for(request)
164
- config = config_for(request, prevent_dup = true)
166
+ prevent_dup = true
167
+ config = config_for(request, prevent_dup)
165
168
  headers = config.cached_headers
166
169
  user_agent = UserAgent.parse(request.user_agent)
167
170
 
@@ -175,7 +178,7 @@ module SecureHeaders
175
178
 
176
179
  header_classes_for(request).each_with_object({}) do |klass, hash|
177
180
  if header = headers[klass::CONFIG_KEY]
178
- header_name, value = if [ContentSecurityPolicyConfig, ContentSecurityPolicyReportOnlyConfig].include?(klass)
181
+ header_name, value = if klass == ContentSecurityPolicyConfig || klass == ContentSecurityPolicyReportOnlyConfig
179
182
  csp_header_for_ua(header, user_agent)
180
183
  else
181
184
  header
@@ -1,10 +1,10 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.5.1"
4
+ gem.version = "3.6.7"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
- gem.description = 'Security related headers all in one gem.'
7
+ gem.description = 'Manages application of security headers with many safe defaults.'
8
8
  gem.summary = 'Add easily configured security headers to responses
9
9
  including content-security-policy, x-frame-options,
10
10
  strict-transport-security, etc.'
@@ -0,0 +1,86 @@
1
+ require 'spec_helper'
2
+
3
+ module SecureHeaders
4
+ describe ClearSiteData do
5
+ describe "make_header" do
6
+ it "returns nil with nil config" do
7
+ expect(described_class.make_header).to be_nil
8
+ end
9
+
10
+ it "returns nil with empty config" do
11
+ expect(described_class.make_header([])).to be_nil
12
+ end
13
+
14
+ it "returns nil with opt-out config" do
15
+ expect(described_class.make_header(OPT_OUT)).to be_nil
16
+ end
17
+
18
+ it "returns all types with `true` config" do
19
+ name, value = described_class.make_header(true)
20
+
21
+ expect(name).to eq(ClearSiteData::HEADER_NAME)
22
+ expect(value).to eq(
23
+ %("cache", "cookies", "storage", "executionContexts")
24
+ )
25
+ end
26
+
27
+ it "returns specified types" do
28
+ name, value = described_class.make_header(["foo", "bar"])
29
+
30
+ expect(name).to eq(ClearSiteData::HEADER_NAME)
31
+ expect(value).to eq(%("foo", "bar"))
32
+ end
33
+ end
34
+
35
+ describe "validate_config!" do
36
+ it "succeeds for `true` config" do
37
+ expect do
38
+ described_class.validate_config!(true)
39
+ end.not_to raise_error
40
+ end
41
+
42
+ it "succeeds for `nil` config" do
43
+ expect do
44
+ described_class.validate_config!(nil)
45
+ end.not_to raise_error
46
+ end
47
+
48
+ it "succeeds for opt-out config" do
49
+ expect do
50
+ described_class.validate_config!(OPT_OUT)
51
+ end.not_to raise_error
52
+ end
53
+
54
+ it "succeeds for empty config" do
55
+ expect do
56
+ described_class.validate_config!([])
57
+ end.not_to raise_error
58
+ end
59
+
60
+ it "succeeds for Array of Strings config" do
61
+ expect do
62
+ described_class.validate_config!(["foo"])
63
+ end.not_to raise_error
64
+ end
65
+
66
+ it "fails for Array of non-String config" do
67
+ expect do
68
+ described_class.validate_config!([1])
69
+ end.to raise_error(ClearSiteDataConfigError)
70
+ end
71
+
72
+ it "fails for other types of config" do
73
+ expect do
74
+ described_class.validate_config!(:cookies)
75
+ end.to raise_error(ClearSiteDataConfigError)
76
+ end
77
+ end
78
+
79
+ describe "make_header_value" do
80
+ it "returns a string of quoted values that are comma separated" do
81
+ value = described_class.make_header_value(["foo", "bar"])
82
+ expect(value).to eq(%("foo", "bar"))
83
+ end
84
+ end
85
+ end
86
+ end
@@ -86,8 +86,8 @@ module SecureHeaders
86
86
  expect(csp.value).to eq("default-src example.org")
87
87
  end
88
88
 
89
- it "emits a warning when using frame-src" do
90
- expect(Kernel).to receive(:warn).with(/:frame_src is deprecated, use :child_src instead./)
89
+ it "does not emit a warning when using frame-src" do
90
+ expect(Kernel).to_not receive(:warn)
91
91
  ContentSecurityPolicy.new(default_src: %w('self'), frame_src: %w('self')).value
92
92
  end
93
93
 
@@ -119,7 +119,6 @@ module SecureHeaders
119
119
  end.merge({
120
120
  block_all_mixed_content: true,
121
121
  upgrade_insecure_requests: true,
122
- reflected_xss: "block",
123
122
  script_src: %w(script-src.com),
124
123
  script_nonce: 123456
125
124
  })
@@ -127,22 +126,22 @@ module SecureHeaders
127
126
 
128
127
  it "does not filter any directives for Chrome" do
129
128
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
130
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
129
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
131
130
  end
132
131
 
133
132
  it "does not filter any directives for Opera" do
134
133
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
135
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
134
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
136
135
  end
137
136
 
138
137
  it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
139
138
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
140
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
139
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
141
140
  end
142
141
 
143
142
  it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
144
143
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
145
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
144
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
146
145
  end
147
146
 
148
147
  it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
@@ -155,11 +154,16 @@ module SecureHeaders
155
154
  expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
156
155
  end
157
156
 
157
+ it "adds 'unsafe-inline', filters blocked-all-mixed-content, upgrade-insecure-requests, nonce sources, and hash sources for safari 10 and higher" do
158
+ policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
159
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
160
+ end
161
+
158
162
  it "falls back to standard Firefox defaults when the useragent version is not present" do
159
163
  ua = USER_AGENTS[:firefox].dup
160
164
  allow(ua).to receive(:version).and_return(nil)
161
165
  policy = ContentSecurityPolicy.new(complex_opts, ua)
162
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
166
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
163
167
  end
164
168
  end
165
169
  end
@@ -27,6 +27,7 @@ module SecureHeaders
27
27
  connect_src: %w(wss:),
28
28
  font_src: %w('self' data:),
29
29
  img_src: %w(mycdn.com data:),
30
+ manifest_src: %w(manifest.com),
30
31
  media_src: %w(utoob.com),
31
32
  object_src: %w('self'),
32
33
  script_src: %w('self'),
@@ -37,7 +37,6 @@ class Message < ERB
37
37
  background-color: black;
38
38
  }
39
39
  </style>
40
- <%= @name %>
41
40
 
42
41
  TEMPLATE
43
42
  end
@@ -105,7 +105,7 @@ module SecureHeaders
105
105
  end
106
106
 
107
107
  it "produces a UA-specific CSP when overriding (and busting the cache)" do
108
- config = Configuration.default do |config|
108
+ Configuration.default do |config|
109
109
  config.csp = {
110
110
  default_src: %w('self'),
111
111
  child_src: %w('self')
@@ -173,6 +173,33 @@ module SecureHeaders
173
173
  expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
174
174
  end
175
175
 
176
+ it "appends child-src to frame-src" do
177
+ Configuration.default do |config|
178
+ config.csp = {
179
+ default_src: %w('self'),
180
+ frame_src: %w(frame_src.com)
181
+ }
182
+ end
183
+
184
+ SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
185
+ hash = SecureHeaders.header_hash_for(chrome_request)
186
+ expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; child-src frame_src.com child_src.com")
187
+ end
188
+
189
+ it "appends frame-src to child-src" do
190
+ Configuration.default do |config|
191
+ config.csp = {
192
+ default_src: %w('self'),
193
+ child_src: %w(child_src.com)
194
+ }
195
+ end
196
+
197
+ safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari6]))
198
+ SecureHeaders.append_content_security_policy_directives(safari_request, frame_src: %w(frame_src.com))
199
+ hash = SecureHeaders.header_hash_for(safari_request)
200
+ expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src child_src.com frame_src.com")
201
+ end
202
+
176
203
  it "supports named appends" do
177
204
  Configuration.default do |config|
178
205
  config.csp = {
@@ -204,7 +231,7 @@ module SecureHeaders
204
231
 
205
232
  SecureHeaders.content_security_policy_script_nonce(request) # should add the value to the header
206
233
  hash = SecureHeaders.header_hash_for(chrome_request)
207
- expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/
234
+ expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/)
208
235
  end
209
236
 
210
237
  it "appends a hash to a missing script-src value" do
@@ -216,7 +243,7 @@ module SecureHeaders
216
243
 
217
244
  SecureHeaders.append_content_security_policy_directives(request, script_src: %w('sha256-abc123'))
218
245
  hash = SecureHeaders.header_hash_for(chrome_request)
219
- expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/
246
+ expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/)
220
247
  end
221
248
 
222
249
  it "overrides individual directives" do
@@ -252,7 +279,7 @@ module SecureHeaders
252
279
  end
253
280
 
254
281
  safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
255
- nonce = SecureHeaders.content_security_policy_script_nonce(safari_request)
282
+ SecureHeaders.content_security_policy_script_nonce(safari_request)
256
283
  hash = SecureHeaders.header_hash_for(safari_request)
257
284
  expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
258
285
  end
@@ -530,6 +557,14 @@ module SecureHeaders
530
557
  end.to raise_error(XContentTypeOptionsConfigError)
531
558
  end
532
559
 
560
+ it "validates your clear site data config upon configuration" do
561
+ expect do
562
+ Configuration.default do |config|
563
+ config.clear_site_data = 1
564
+ end
565
+ end.to raise_error(ClearSiteDataConfigError)
566
+ end
567
+
533
568
  it "validates your x_xss config upon configuration" do
534
569
  expect do
535
570
  Configuration.default do |config|
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.1
4
+ version: 3.6.7
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-11-11 00:00:00.000000000 Z
11
+ date: 2017-07-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -38,7 +38,7 @@ dependencies:
38
38
  - - ">="
39
39
  - !ruby/object:Gem::Version
40
40
  version: '0'
41
- description: Security related headers all in one gem.
41
+ description: Manages application of security headers with many safe defaults.
42
42
  email:
43
43
  - neil.matatall@gmail.com
44
44
  executables: []
@@ -53,14 +53,23 @@ files:
53
53
  - ".ruby-version"
54
54
  - ".travis.yml"
55
55
  - CHANGELOG.md
56
+ - CODE_OF_CONDUCT.md
57
+ - CONTRIBUTING.md
56
58
  - Gemfile
57
59
  - Guardfile
58
60
  - LICENSE
59
61
  - README.md
60
62
  - Rakefile
63
+ - docs/HPKP.md
64
+ - docs/cookies.md
65
+ - docs/hashes.md
66
+ - docs/named_overrides_and_appends.md
67
+ - docs/per_action_configuration.md
68
+ - docs/sinatra.md
61
69
  - lib/secure_headers.rb
62
70
  - lib/secure_headers/configuration.rb
63
71
  - lib/secure_headers/hash_helper.rb
72
+ - lib/secure_headers/headers/clear_site_data.rb
64
73
  - lib/secure_headers/headers/content_security_policy.rb
65
74
  - lib/secure_headers/headers/content_security_policy_config.rb
66
75
  - lib/secure_headers/headers/cookie.rb
@@ -80,6 +89,7 @@ files:
80
89
  - lib/tasks/tasks.rake
81
90
  - secure_headers.gemspec
82
91
  - spec/lib/secure_headers/configuration_spec.rb
92
+ - spec/lib/secure_headers/headers/clear_site_data_spec.rb
83
93
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
84
94
  - spec/lib/secure_headers/headers/cookie_spec.rb
85
95
  - spec/lib/secure_headers/headers/policy_management_spec.rb
@@ -116,13 +126,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
116
126
  version: '0'
117
127
  requirements: []
118
128
  rubyforge_project:
119
- rubygems_version: 2.4.5.1
129
+ rubygems_version: 2.5.2
120
130
  signing_key:
121
131
  specification_version: 4
122
132
  summary: Add easily configured security headers to responses including content-security-policy,
123
133
  x-frame-options, strict-transport-security, etc.
124
134
  test_files:
125
135
  - spec/lib/secure_headers/configuration_spec.rb
136
+ - spec/lib/secure_headers/headers/clear_site_data_spec.rb
126
137
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
127
138
  - spec/lib/secure_headers/headers/cookie_spec.rb
128
139
  - spec/lib/secure_headers/headers/policy_management_spec.rb