secure_headers 3.6.7 → 4.0.0.alpha01

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. checksums.yaml +4 -4
  2. data/.rspec +1 -0
  3. data/.rubocop.yml +3 -0
  4. data/.ruby-version +1 -1
  5. data/.travis.yml +8 -6
  6. data/CHANGELOG.md +2 -6
  7. data/CONTRIBUTING.md +1 -1
  8. data/Gemfile +7 -4
  9. data/Guardfile +1 -0
  10. data/README.md +4 -18
  11. data/Rakefile +22 -18
  12. data/docs/cookies.md +16 -2
  13. data/lib/secure_headers/configuration.rb +5 -12
  14. data/lib/secure_headers/hash_helper.rb +2 -1
  15. data/lib/secure_headers/headers/clear_site_data.rb +2 -1
  16. data/lib/secure_headers/headers/content_security_policy.rb +7 -12
  17. data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
  18. data/lib/secure_headers/headers/cookie.rb +21 -3
  19. data/lib/secure_headers/headers/policy_management.rb +10 -2
  20. data/lib/secure_headers/headers/public_key_pins.rb +4 -3
  21. data/lib/secure_headers/headers/referrer_policy.rb +1 -0
  22. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  23. data/lib/secure_headers/headers/x_content_type_options.rb +1 -0
  24. data/lib/secure_headers/headers/x_download_options.rb +2 -1
  25. data/lib/secure_headers/headers/x_frame_options.rb +1 -0
  26. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +2 -1
  27. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  28. data/lib/secure_headers/middleware.rb +10 -9
  29. data/lib/secure_headers/railtie.rb +7 -6
  30. data/lib/secure_headers/utils/cookies_config.rb +13 -12
  31. data/lib/secure_headers/view_helper.rb +2 -1
  32. data/lib/secure_headers.rb +1 -0
  33. data/lib/tasks/tasks.rake +2 -1
  34. data/secure_headers.gemspec +13 -3
  35. data/spec/lib/secure_headers/configuration_spec.rb +9 -8
  36. data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +2 -1
  37. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +11 -16
  38. data/spec/lib/secure_headers/headers/cookie_spec.rb +38 -20
  39. data/spec/lib/secure_headers/headers/policy_management_spec.rb +20 -10
  40. data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +7 -6
  41. data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +4 -3
  42. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +5 -4
  43. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +2 -1
  44. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +3 -2
  45. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +2 -1
  46. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +4 -3
  47. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +4 -3
  48. data/spec/lib/secure_headers/middleware_spec.rb +18 -21
  49. data/spec/lib/secure_headers/view_helpers_spec.rb +5 -4
  50. data/spec/lib/secure_headers_spec.rb +92 -120
  51. data/spec/spec_helper.rb +9 -22
  52. data/upgrading-to-4-0.md +49 -0
  53. metadata +15 -8
data/spec/spec_helper.rb CHANGED
@@ -1,12 +1,11 @@
1
- require 'rubygems'
2
- require 'rspec'
3
- require 'rack'
4
- require 'pry-nav'
5
-
6
- require 'coveralls'
1
+ # frozen_string_literal: true
2
+ require "rubygems"
3
+ require "rspec"
4
+ require "rack"
5
+ require "coveralls"
7
6
  Coveralls.wear!
8
7
 
9
- require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
8
+ require File.join(File.dirname(__FILE__), "..", "lib", "secure_headers")
10
9
 
11
10
 
12
11
 
@@ -14,9 +13,9 @@ USER_AGENTS = {
14
13
  edge: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
15
14
  firefox: "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1",
16
15
  firefox46: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0",
17
- chrome: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
18
- ie: 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
19
- opera: 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
16
+ chrome: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5",
17
+ ie: "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)",
18
+ opera: "Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00",
20
19
  ios5: "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
21
20
  ios6: "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
22
21
  safari5: "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
@@ -49,15 +48,3 @@ end
49
48
  def reset_config
50
49
  SecureHeaders::Configuration.clear_configurations
51
50
  end
52
-
53
- def capture_warning
54
- begin
55
- old_stderr = $stderr
56
- $stderr = StringIO.new
57
- yield
58
- result = $stderr.string
59
- ensure
60
- $stderr = old_stderr
61
- end
62
- result
63
- end
@@ -0,0 +1,49 @@
1
+ ### Breaking Changes
2
+
3
+ The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break. This should not break brand new projects using secure_headers either.
4
+
5
+ ## All cookies default to secure/httponly/SameSite=Lax
6
+
7
+ By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
8
+
9
+ ```ruby
10
+ # specific opt outs
11
+ config.cookies = {
12
+ secure: OPT_OUT,
13
+ httponly: OPT_OUT,
14
+ samesite: OPT_OUT,
15
+ }
16
+
17
+ # nuclear option, just make things work again
18
+ config.cookies = OPT_OUT
19
+ ```
20
+
21
+ ## Default Content Security Policy
22
+
23
+ The default CSP has changed to be more universal without sacrificing too much security.
24
+
25
+ * Flash/Java disabled by default
26
+ * `img-src` allows data: images and favicons (among others)
27
+ * `style-src` allows inline CSS by default (most find it impossible/impractical to remove inline content today)
28
+ * `form-action` (not governed by `default-src`, practically treated as `*`) is set to `'self'`
29
+
30
+ Previously, the default CSP was:
31
+
32
+ `Content-Security-Policy: default-src 'self'`
33
+
34
+ The new default policy is:
35
+
36
+ `default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:`
37
+
38
+ ## CSP configuration
39
+
40
+ * Setting `report_only: true` in a CSP config will raise an error. Instead, set `csp_report_only`.
41
+ * Setting `frame_src` and `child_src` when values don't match will raise an error. Just use `frame_src`.
42
+
43
+ ## config.secure_cookies removed
44
+
45
+ Use `config.cookies` instead.
46
+
47
+ ## Supported ruby versions
48
+
49
+ We've dropped support for ruby versions <= 2.2. Sorry.
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.6.7
4
+ version: 4.0.0.alpha01
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-07-14 00:00:00.000000000 Z
11
+ date: 2017-07-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -30,14 +30,14 @@ dependencies:
30
30
  requirements:
31
31
  - - ">="
32
32
  - !ruby/object:Gem::Version
33
- version: '0'
33
+ version: 0.15.0
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - ">="
39
39
  - !ruby/object:Gem::Version
40
- version: '0'
40
+ version: 0.15.0
41
41
  description: Manages application of security headers with many safe defaults.
42
42
  email:
43
43
  - neil.matatall@gmail.com
@@ -49,6 +49,7 @@ files:
49
49
  - ".github/PULL_REQUEST_TEMPLATE.md"
50
50
  - ".gitignore"
51
51
  - ".rspec"
52
+ - ".rubocop.yml"
52
53
  - ".ruby-gemset"
53
54
  - ".ruby-version"
54
55
  - ".travis.yml"
@@ -106,11 +107,17 @@ files:
106
107
  - spec/lib/secure_headers_spec.rb
107
108
  - spec/spec_helper.rb
108
109
  - upgrading-to-3-0.md
110
+ - upgrading-to-4-0.md
109
111
  homepage: https://github.com/twitter/secureheaders
110
112
  licenses:
111
113
  - Apache Public License 2.0
112
114
  metadata: {}
113
- post_install_message:
115
+ post_install_message: |2+
116
+
117
+ **********
118
+ :wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
119
+ **********
120
+
114
121
  rdoc_options: []
115
122
  require_paths:
116
123
  - lib
@@ -121,12 +128,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
121
128
  version: '0'
122
129
  required_rubygems_version: !ruby/object:Gem::Requirement
123
130
  requirements:
124
- - - ">="
131
+ - - ">"
125
132
  - !ruby/object:Gem::Version
126
- version: '0'
133
+ version: 1.3.1
127
134
  requirements: []
128
135
  rubyforge_project:
129
- rubygems_version: 2.5.2
136
+ rubygems_version: 2.6.11
130
137
  signing_key:
131
138
  specification_version: 4
132
139
  summary: Add easily configured security headers to responses including content-security-policy,