secure_headers 3.6.7 → 4.0.0.alpha01

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. checksums.yaml +4 -4
  2. data/.rspec +1 -0
  3. data/.rubocop.yml +3 -0
  4. data/.ruby-version +1 -1
  5. data/.travis.yml +8 -6
  6. data/CHANGELOG.md +2 -6
  7. data/CONTRIBUTING.md +1 -1
  8. data/Gemfile +7 -4
  9. data/Guardfile +1 -0
  10. data/README.md +4 -18
  11. data/Rakefile +22 -18
  12. data/docs/cookies.md +16 -2
  13. data/lib/secure_headers/configuration.rb +5 -12
  14. data/lib/secure_headers/hash_helper.rb +2 -1
  15. data/lib/secure_headers/headers/clear_site_data.rb +2 -1
  16. data/lib/secure_headers/headers/content_security_policy.rb +7 -12
  17. data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
  18. data/lib/secure_headers/headers/cookie.rb +21 -3
  19. data/lib/secure_headers/headers/policy_management.rb +10 -2
  20. data/lib/secure_headers/headers/public_key_pins.rb +4 -3
  21. data/lib/secure_headers/headers/referrer_policy.rb +1 -0
  22. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  23. data/lib/secure_headers/headers/x_content_type_options.rb +1 -0
  24. data/lib/secure_headers/headers/x_download_options.rb +2 -1
  25. data/lib/secure_headers/headers/x_frame_options.rb +1 -0
  26. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +2 -1
  27. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  28. data/lib/secure_headers/middleware.rb +10 -9
  29. data/lib/secure_headers/railtie.rb +7 -6
  30. data/lib/secure_headers/utils/cookies_config.rb +13 -12
  31. data/lib/secure_headers/view_helper.rb +2 -1
  32. data/lib/secure_headers.rb +1 -0
  33. data/lib/tasks/tasks.rake +2 -1
  34. data/secure_headers.gemspec +13 -3
  35. data/spec/lib/secure_headers/configuration_spec.rb +9 -8
  36. data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +2 -1
  37. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +11 -16
  38. data/spec/lib/secure_headers/headers/cookie_spec.rb +38 -20
  39. data/spec/lib/secure_headers/headers/policy_management_spec.rb +20 -10
  40. data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +7 -6
  41. data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +4 -3
  42. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +5 -4
  43. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +2 -1
  44. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +3 -2
  45. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +2 -1
  46. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +4 -3
  47. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +4 -3
  48. data/spec/lib/secure_headers/middleware_spec.rb +18 -21
  49. data/spec/lib/secure_headers/view_helpers_spec.rb +5 -4
  50. data/spec/lib/secure_headers_spec.rb +92 -120
  51. data/spec/spec_helper.rb +9 -22
  52. data/upgrading-to-4-0.md +49 -0
  53. metadata +15 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 9ba9d50d38ff5d5eb3770fd8e2d445ac0c8bf934
4
- data.tar.gz: 0d0a0bd64c859ce0421effd4b1648de3df8acfa1
3
+ metadata.gz: 1cfa800eacf250583e379d13a9149d585bc2f48d
4
+ data.tar.gz: 3de8c81b1308ec9d1d53f822cff8eeb7e20b5af0
5
5
  SHA512:
6
- metadata.gz: d0c708c8b93bf64c601a0fe7c358a9d2270016a80931d786774e8180ca50b7c61207e4f9759fb085fde7703099a1be96c4b5210b642d17a0c13000a4cdc8c51f
7
- data.tar.gz: 00fe77abc4a759ada4b509b899c48f0b0ee62d86b151b5c6a41f6bbde390c4dccc8ed1a33e02ed67a45fa8e2d61da0ebeeefa1c2a59566e587b583f53df98805
6
+ metadata.gz: 4c25ae5372ac00f74b0cae3b7de0a767a15b45f275bed64994c2cd7d078a2f0b52bdce562d14280984ad494fd008445d5d5448a3ac94694cd1f9778da3deeacc
7
+ data.tar.gz: 6fab2c382ed56f9a63dd118a34b617fb82b4ee4e9ef55f37d78e134ec9068c9ee1022ba0a94991d0b7b82ea756d78132d3c0dfc909e66d4068acde4f6d2673ff
data/.rspec CHANGED
@@ -1,2 +1,3 @@
1
1
  --order rand
2
2
  --warnings
3
+ --format progress
data/.rubocop.yml ADDED
@@ -0,0 +1,3 @@
1
+ inherit_gem:
2
+ rubocop-github:
3
+ - config/default.yml
data/.ruby-version CHANGED
@@ -1 +1 @@
1
- 2.3.3
1
+ 2.4.1
data/.travis.yml CHANGED
@@ -2,15 +2,17 @@ language: ruby
2
2
 
3
3
  rvm:
4
4
  - ruby-head
5
- - 2.4.0
6
- - 2.3.3
5
+ - 2.4.1
6
+ - 2.3.4
7
7
  - 2.2
8
- - 2.1
9
- - 2.0.0
10
- - 1.9.3
11
- - jruby-19mode
12
8
  - jruby-head
13
9
 
10
+ env:
11
+ - SUITE=rspec spec
12
+ - SUITE=rubocop
13
+
14
+ script: bundle exec $SUITE
15
+
14
16
  matrix:
15
17
  allow_failures:
16
18
  - rvm: jruby-head
data/CHANGELOG.md CHANGED
@@ -1,10 +1,6 @@
1
- ## 3.6.7
1
+ ## 4.x
2
2
 
3
- Actually set manifest-src when configured. https://github.com/twitter/secureheaders/pull/339 Thanks @carlosantoniodasilva!
4
-
5
- ## 3.6.6
6
-
7
- wat?
3
+ - See the [upgrading to 4.0](upgrading-to-4.0.md) guide. Lots of breaking changes.
8
4
 
9
5
  ## 3.6.5
10
6
 
data/CONTRIBUTING.md CHANGED
@@ -30,7 +30,7 @@ Here are a few things you can do that will increase the likelihood of your pull
30
30
  0. Ensure CI is green
31
31
  0. Pull the latest code
32
32
  0. Increment the version
33
- 0. Run `gem build darrrr.gemspec`
33
+ 0. Run `gem build secure_headers.gemspec`
34
34
  0. Bump the Gemfile and Gemfile.lock versions for an app which relies on this gem
35
35
  0. Test behavior locally, branch deploy, whatever needs to happen
36
36
  0. Run `bundle exec rake release`
data/Gemfile CHANGED
@@ -1,19 +1,22 @@
1
+ # frozen_string_literal: true
1
2
  source "https://rubygems.org"
2
3
 
3
4
  gemspec
4
5
 
5
6
  group :test do
6
- gem "tins", "~> 1.6.0" # 1.7 requires ruby 2.0
7
- gem "pry-nav"
7
+ gem "coveralls"
8
8
  gem "json", "~> 1"
9
+ gem "pry-nav"
9
10
  gem "rack", "~> 1"
10
11
  gem "rspec"
11
- gem "coveralls"
12
+ gem "rubocop", "~> 0.47.0"
13
+ gem "rubocop-github"
12
14
  gem "term-ansicolor", "< 1.4"
15
+ gem "tins", "~> 1.6.0" # 1.7 requires ruby 2.0
13
16
  end
14
17
 
15
18
  group :guard do
16
- gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22]
17
19
  gem "growl"
20
+ gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
18
21
  gem "rb-fsevent"
19
22
  end
data/Guardfile CHANGED
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  guard :rspec, cmd: "bundle exec rspec", all_on_start: true, all_after_pass: true do
2
3
  require "guard/rspec/dsl"
3
4
  dsl = Guard::RSpec::Dsl.new(self)
data/README.md CHANGED
@@ -1,9 +1,10 @@
1
1
  # Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
2
2
 
3
+ **master represents the unreleased 4.x line**. See the [upgrading to 4.x doc](upgrading-to-4-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
3
4
 
4
- **The 3.x branch was recently merged**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
5
+ **The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
5
6
 
6
- **The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be maintained**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
7
+ **The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
7
8
 
8
9
  The gem will automatically apply several headers that are related to security. This includes:
9
10
  - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
@@ -77,8 +78,7 @@ SecureHeaders::Configuration.default do |config|
77
78
  "executionContexts"
78
79
  ]
79
80
  config.csp = {
80
- # "meta" values. these will shaped the header, but the values are not included in the header.
81
- # report_only: true, # default: false [DEPRECATED from 3.5.0: instead, configure csp_report_only]
81
+ # "meta" values. these will shape the header, but the values are not included in the header.
82
82
  preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
83
83
 
84
84
  # directive values: these values will directly translate into source directives
@@ -132,20 +132,6 @@ X-Permitted-Cross-Domain-Policies: none
132
132
  X-Xss-Protection: 1; mode=block
133
133
  ```
134
134
 
135
- ### Default CSP
136
-
137
- By default, the above CSP will be applied to all requests. If you **only** want to set a Report-Only header, opt-out of the default enforced header for clarity. The configuration will assume that if you only supply `csp_report_only` that you intended to opt-out of `csp` but that's for the sake of backwards compatibility and it will be removed in the future.
138
-
139
- ```ruby
140
- Configuration.default do |config|
141
- config.csp = SecureHeaders::OPT_OUT # If this line is omitted, we will assume you meant to opt out.
142
- config.csp_report_only = {
143
- default_src: %w('self')
144
- }
145
- end
146
- ```
147
-
148
-
149
135
  ## Similar libraries
150
136
 
151
137
  * Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers)
data/Rakefile CHANGED
@@ -1,28 +1,32 @@
1
1
  #!/usr/bin/env rake
2
- require 'bundler/gem_tasks'
3
- require 'rspec/core/rake_task'
4
- require 'net/http'
5
- require 'net/https'
2
+ # frozen_string_literal: true
3
+ require "bundler/gem_tasks"
4
+ require "rspec/core/rake_task"
5
+ require "net/http"
6
+ require "net/https"
6
7
 
7
- desc "Run RSpec"
8
- RSpec::Core::RakeTask.new do |t|
9
- t.verbose = false
10
- t.rspec_opts = "--format progress"
11
- end
12
-
13
- task default: :spec
8
+ RSpec::Core::RakeTask.new
14
9
 
15
10
  begin
16
- require 'rdoc/task'
11
+ require "rdoc/task"
17
12
  rescue LoadError
18
- require 'rdoc/rdoc'
19
- require 'rake/rdoctask'
13
+ require "rdoc/rdoc"
14
+ require "rake/rdoctask"
20
15
  RDoc::Task = Rake::RDocTask
21
16
  end
22
17
 
18
+ begin
19
+ require "rubocop/rake_task"
20
+ RuboCop::RakeTask.new
21
+ rescue LoadError
22
+ task(:rubocop) { $stderr.puts "RuboCop is disabled" }
23
+ end
24
+
23
25
  RDoc::Task.new(:rdoc) do |rdoc|
24
- rdoc.rdoc_dir = 'rdoc'
25
- rdoc.title = 'SecureHeaders'
26
- rdoc.options << '--line-numbers'
27
- rdoc.rdoc_files.include('lib/**/*.rb')
26
+ rdoc.rdoc_dir = "rdoc"
27
+ rdoc.title = "SecureHeaders"
28
+ rdoc.options << "--line-numbers"
29
+ rdoc.rdoc_files.include("lib/**/*.rb")
28
30
  end
31
+
32
+ task default: [:spec, :rubocop]
data/docs/cookies.md CHANGED
@@ -4,14 +4,28 @@ SecureHeaders supports `Secure`, `HttpOnly` and [`SameSite`](https://tools.ietf.
4
4
 
5
5
  __Note__: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests.
6
6
 
7
+ #### Defaults
8
+
9
+ By default, all cookies will get both `Secure`, `HttpOnly`, and `SameSite=Lax`.
10
+
11
+ ```ruby
12
+ config.cookies = {
13
+ secure: true, # defaults to true but will be a no op on non-HTTPS requests
14
+ httponly: true, # defaults to true
15
+ samesite: { # defaults to set `SameSite=Lax`
16
+ lax: true
17
+ }
18
+ }
19
+ ```
20
+
7
21
  #### Boolean-based configuration
8
22
 
9
- Boolean-based configuration is intended to globally enable or disable a specific cookie attribute.
23
+ Boolean-based configuration is intended to globally enable or disable a specific cookie attribute. *Note: As of 4.0, you must use OPT_OUT rather than false to opt out of the defaults.*
10
24
 
11
25
  ```ruby
12
26
  config.cookies = {
13
27
  secure: true, # mark all cookies as Secure
14
- httponly: false, # do not mark any cookies as HttpOnly
28
+ httponly: OPT_OUT, # do not mark any cookies as HttpOnly
15
29
  }
16
30
  ```
17
31
 
@@ -1,4 +1,5 @@
1
- require 'yaml'
1
+ # frozen_string_literal: true
2
+ require "yaml"
2
3
 
3
4
  module SecureHeaders
4
5
  class Configuration
@@ -205,8 +206,7 @@ module SecureHeaders
205
206
  end
206
207
 
207
208
  def secure_cookies=(secure_cookies)
208
- Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#secure_cookies=` is deprecated. Please use `#cookies=` to configure secure cookies instead."
209
- @cookies = (@cookies || {}).merge(secure: secure_cookies)
209
+ raise ArgumentError, "#{Kernel.caller.first}: `#secure_cookies=` is no longer supported. Please use `#cookies=` to configure secure cookies instead."
210
210
  end
211
211
 
212
212
  def csp=(new_csp)
@@ -214,10 +214,8 @@ module SecureHeaders
214
214
  @csp = new_csp.dup
215
215
  else
216
216
  if new_csp[:report_only]
217
- # Deprecated configuration implies that CSPRO should be set, CSP should not - so opt out
218
- Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
219
- @csp = OPT_OUT
220
- self.csp_report_only = new_csp
217
+ # invalid configuration implies that CSPRO should be set, CSP should not - so opt out
218
+ raise ArgumentError, "#{Kernel.caller.first}: `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
221
219
  else
222
220
  @csp = ContentSecurityPolicyConfig.new(new_csp)
223
221
  end
@@ -244,11 +242,6 @@ module SecureHeaders
244
242
  end
245
243
  end
246
244
  end
247
-
248
- if !@csp_report_only.opt_out? && @csp.to_h == ContentSecurityPolicyConfig::DEFAULT
249
- Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#csp_report_only=` was configured before `#csp=`. It is assumed you intended to opt out of `#csp=` so be sure to add `config.csp = SecureHeaders::OPT_OUT` to your config. Ensure that #csp_report_only is configured after #csp="
250
- @csp = OPT_OUT
251
- end
252
245
  end
253
246
 
254
247
  protected
@@ -1,4 +1,5 @@
1
- require 'base64'
1
+ # frozen_string_literal: true
2
+ require "base64"
2
3
 
3
4
  module SecureHeaders
4
5
  module HashHelper
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  class ClearSiteDataConfigError < StandardError; end
3
4
  class ClearSiteData
@@ -16,7 +17,7 @@ module SecureHeaders
16
17
  # Public: make an Clear-Site-Data header name, value pair
17
18
  #
18
19
  # Returns nil if not configured, returns header name and value if configured.
19
- def make_header(config=nil)
20
+ def make_header(config = nil)
20
21
  case config
21
22
  when nil, OPT_OUT, []
22
23
  # noop
@@ -1,6 +1,7 @@
1
- require_relative 'policy_management'
2
- require_relative 'content_security_policy_config'
3
- require 'useragent'
1
+ # frozen_string_literal: true
2
+ require_relative "policy_management"
3
+ require_relative "content_security_policy_config"
4
+ require "useragent"
4
5
 
5
6
  module SecureHeaders
6
7
  class ContentSecurityPolicy
@@ -54,18 +55,12 @@ module SecureHeaders
54
55
 
55
56
  private
56
57
 
57
- # frame-src is deprecated, child-src is being implemented. They are
58
- # very similar and in most cases, the same value can be used for both.
59
58
  def normalize_child_frame_src
60
59
  if @config.frame_src && @config.child_src && @config.frame_src != @config.child_src
61
- Kernel.warn("#{Kernel.caller.first}: [DEPRECATION] both :child_src and :frame_src supplied and do not match. This can lead to inconsistent behavior across browsers.")
60
+ raise ArgumentError, "#{Kernel.caller.first}: both :child_src and :frame_src supplied and do not match. This can lead to inconsistent behavior across browsers."
62
61
  end
63
62
 
64
- if supported_directives.include?(:child_src)
65
- @config.child_src || @config.frame_src
66
- else
67
- @config.frame_src || @config.child_src
68
- end
63
+ @config.frame_src || @config.child_src
69
64
  end
70
65
 
71
66
  # Private: converts the config object into a string representing a policy.
@@ -229,7 +224,7 @@ module SecureHeaders
229
224
  end
230
225
 
231
226
  def symbol_to_hyphen_case(sym)
232
- sym.to_s.tr('_', '-')
227
+ sym.to_s.tr("_", "-")
233
228
  end
234
229
  end
235
230
  end
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  module DynamicConfig
3
4
  def self.included(base)
@@ -1,5 +1,7 @@
1
- require 'cgi'
2
- require 'secure_headers/utils/cookies_config'
1
+ # frozen_string_literal: true
2
+ require "cgi"
3
+ require "secure_headers/utils/cookies_config"
4
+
3
5
 
4
6
  module SecureHeaders
5
7
  class CookiesConfigError < StandardError; end
@@ -13,8 +15,18 @@ module SecureHeaders
13
15
 
14
16
  attr_reader :raw_cookie, :config
15
17
 
18
+ COOKIE_DEFAULTS = {
19
+ httponly: true,
20
+ secure: true,
21
+ samesite: { lax: true },
22
+ }.freeze
23
+
16
24
  def initialize(cookie, config)
17
25
  @raw_cookie = cookie
26
+ unless config == OPT_OUT
27
+ config ||= {}
28
+ config = COOKIE_DEFAULTS.merge(config)
29
+ end
18
30
  @config = config
19
31
  @attributes = {
20
32
  httponly: nil,
@@ -56,6 +68,7 @@ module SecureHeaders
56
68
  end
57
69
 
58
70
  def flag_cookie?(attribute)
71
+ return false if config == OPT_OUT
59
72
  case config[attribute]
60
73
  when TrueClass
61
74
  true
@@ -85,6 +98,7 @@ module SecureHeaders
85
98
  end
86
99
 
87
100
  def flag_samesite?
101
+ return false if config == OPT_OUT || config[:samesite] == OPT_OUT
88
102
  flag_samesite_lax? || flag_samesite_strict?
89
103
  end
90
104
 
@@ -99,6 +113,10 @@ module SecureHeaders
99
113
  def flag_samesite_enforcement?(mode)
100
114
  return unless config[:samesite]
101
115
 
116
+ if config[:samesite].is_a?(TrueClass) && mode == :lax
117
+ return true
118
+ end
119
+
102
120
  case config[:samesite][mode]
103
121
  when Hash
104
122
  conditionally_flag?(config[:samesite][mode])
@@ -113,7 +131,7 @@ module SecureHeaders
113
131
  return unless cookie
114
132
 
115
133
  cookie.split(/[;,]\s?/).each do |pairs|
116
- name, values = pairs.split('=',2)
134
+ name, values = pairs.split("=", 2)
117
135
  name = CGI.unescape(name)
118
136
 
119
137
  attribute = name.downcase.to_sym
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  module PolicyManagement
3
4
  def self.included(base)
@@ -5,8 +6,14 @@ module SecureHeaders
5
6
  end
6
7
 
7
8
  MODERN_BROWSERS = %w(Chrome Opera Firefox)
8
- DEFAULT_VALUE = "default-src https:".freeze
9
- DEFAULT_CONFIG = { default_src: %w(https:) }.freeze
9
+ DEFAULT_CONFIG = {
10
+ default_src: %w(https:),
11
+ img_src: %w(https: data: 'self'),
12
+ object_src: %w('none'),
13
+ script_src: %w(https:),
14
+ style_src: %w('self' 'unsafe-inline' https:),
15
+ form_action: %w('self')
16
+ }.freeze
10
17
  DATA_PROTOCOL = "data:".freeze
11
18
  BLOB_PROTOCOL = "blob:".freeze
12
19
  SELF = "'self'".freeze
@@ -195,6 +202,7 @@ module SecureHeaders
195
202
  def validate_config!(config)
196
203
  return if config.nil? || config.opt_out?
197
204
  raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
205
+ raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous") unless config.directive_value(:script_src)
198
206
  ContentSecurityPolicyConfig.attrs.each do |key|
199
207
  value = config.directive_value(key)
200
208
  next unless value
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  class PublicKeyPinsConfigError < StandardError; end
3
4
  class PublicKeyPins
@@ -54,7 +55,7 @@ module SecureHeaders
54
55
  pin_directives,
55
56
  report_uri_directive,
56
57
  subdomain_directive
57
- ].compact.join('; ').strip
58
+ ].compact.join("; ").strip
58
59
  end
59
60
 
60
61
  def pin_directives
@@ -63,7 +64,7 @@ module SecureHeaders
63
64
  pin.map do |token, hash|
64
65
  "pin-#{token}=\"#{hash}\"" if HASH_ALGORITHMS.include?(token)
65
66
  end
66
- end.join('; ')
67
+ end.join("; ")
67
68
  end
68
69
 
69
70
  def max_age_directive
@@ -75,7 +76,7 @@ module SecureHeaders
75
76
  end
76
77
 
77
78
  def subdomain_directive
78
- @include_subdomains ? 'includeSubDomains' : nil
79
+ @include_subdomains ? "includeSubDomains" : nil
79
80
  end
80
81
  end
81
82
  end
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  class ReferrerPolicyConfigError < StandardError; end
3
4
  class ReferrerPolicy
@@ -1,8 +1,9 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  class STSConfigError < StandardError; end
3
4
 
4
5
  class StrictTransportSecurity
5
- HEADER_NAME = 'Strict-Transport-Security'.freeze
6
+ HEADER_NAME = "Strict-Transport-Security".freeze
6
7
  HSTS_MAX_AGE = "631138519"
7
8
  DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
8
9
  VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  class XContentTypeOptionsConfigError < StandardError; end
3
4
 
@@ -1,8 +1,9 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  class XDOConfigError < StandardError; end
3
4
  class XDownloadOptions
4
5
  HEADER_NAME = "X-Download-Options".freeze
5
- DEFAULT_VALUE = 'noopen'
6
+ DEFAULT_VALUE = "noopen"
6
7
  CONFIG_KEY = :x_download_options
7
8
 
8
9
  class << self
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  class XFOConfigError < StandardError; end
3
4
  class XFrameOptions
@@ -1,8 +1,9 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  class XPCDPConfigError < StandardError; end
3
4
  class XPermittedCrossDomainPolicies
4
5
  HEADER_NAME = "X-Permitted-Cross-Domain-Policies".freeze
5
- DEFAULT_VALUE = 'none'
6
+ DEFAULT_VALUE = "none"
6
7
  VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
7
8
  CONFIG_KEY = :x_permitted_cross_domain_policies
8
9
 
@@ -1,7 +1,8 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  class XXssProtectionConfigError < StandardError; end
3
4
  class XXssProtection
4
- HEADER_NAME = 'X-XSS-Protection'.freeze
5
+ HEADER_NAME = "X-XSS-Protection".freeze
5
6
  DEFAULT_VALUE = "1; mode=block"
6
7
  VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
7
8
  CONFIG_KEY = :x_xss_protection
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module SecureHeaders
2
3
  class Middleware
3
4
  HPKP_SAME_HOST_WARNING = "[WARNING] HPKP report host should not be the same as the request host. See https://github.com/twitter/secureheaders/issues/166"
@@ -25,11 +26,11 @@ module SecureHeaders
25
26
 
26
27
  # inspired by https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194
27
28
  def flag_cookies!(headers, config)
28
- if cookies = headers['Set-Cookie']
29
+ if cookies = headers["Set-Cookie"]
29
30
  # Support Rails 2.3 / Rack 1.1 arrays as headers
30
31
  cookies = cookies.split("\n") unless cookies.is_a?(Array)
31
32
 
32
- headers['Set-Cookie'] = cookies.map do |cookie|
33
+ headers["Set-Cookie"] = cookies.map do |cookie|
33
34
  SecureHeaders::Cookie.new(cookie, config).to_s
34
35
  end.join("\n")
35
36
  end
@@ -37,8 +38,8 @@ module SecureHeaders
37
38
 
38
39
  # disable Secure cookies for non-https requests
39
40
  def override_secure(env, config = {})
40
- if scheme(env) != 'https'
41
- config.merge!(secure: false)
41
+ if scheme(env) != "https"
42
+ config[:secure] = OPT_OUT
42
43
  end
43
44
 
44
45
  config
@@ -46,12 +47,12 @@ module SecureHeaders
46
47
 
47
48
  # derived from https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L119
48
49
  def scheme(env)
49
- if env['HTTPS'] == 'on' || env['HTTP_X_SSL_REQUEST'] == 'on'
50
- 'https'
51
- elsif env['HTTP_X_FORWARDED_PROTO']
52
- env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
50
+ if env["HTTPS"] == "on" || env["HTTP_X_SSL_REQUEST"] == "on"
51
+ "https"
52
+ elsif env["HTTP_X_FORWARDED_PROTO"]
53
+ env["HTTP_X_FORWARDED_PROTO"].split(",")[0]
53
54
  else
54
- env['rack.url_scheme']
55
+ env["rack.url_scheme"]
55
56
  end
56
57
  end
57
58
  end
@@ -1,20 +1,21 @@
1
+ # frozen_string_literal: true
1
2
  # rails 3.1+
2
3
  if defined?(Rails::Railtie)
3
4
  module SecureHeaders
4
5
  class Railtie < Rails::Railtie
5
6
  isolate_namespace SecureHeaders if defined? isolate_namespace # rails 3.0
6
- conflicting_headers = ['X-Frame-Options', 'X-XSS-Protection',
7
- 'X-Permitted-Cross-Domain-Policies', 'X-Download-Options',
8
- 'X-Content-Type-Options', 'Strict-Transport-Security',
9
- 'Content-Security-Policy', 'Content-Security-Policy-Report-Only',
10
- 'Public-Key-Pins', 'Public-Key-Pins-Report-Only', 'Referrer-Policy']
7
+ conflicting_headers = ["X-Frame-Options", "X-XSS-Protection",
8
+ "X-Permitted-Cross-Domain-Policies", "X-Download-Options",
9
+ "X-Content-Type-Options", "Strict-Transport-Security",
10
+ "Content-Security-Policy", "Content-Security-Policy-Report-Only",
11
+ "Public-Key-Pins", "Public-Key-Pins-Report-Only", "Referrer-Policy"]
11
12
 
12
13
  initializer "secure_headers.middleware" do
13
14
  Rails.application.config.middleware.insert_before 0, SecureHeaders::Middleware
14
15
  end
15
16
 
16
17
  rake_tasks do
17
- load File.expand_path(File.join('..', '..', 'lib', 'tasks', 'tasks.rake'), File.dirname(__FILE__))
18
+ load File.expand_path(File.join("..", "..", "lib", "tasks", "tasks.rake"), File.dirname(__FILE__))
18
19
  end
19
20
 
20
21
  initializer "secure_headers.action_controller" do