secure_headers 3.6.7 → 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rspec +1 -0
- data/.rubocop.yml +3 -0
- data/.ruby-version +1 -1
- data/.travis.yml +8 -6
- data/CHANGELOG.md +12 -4
- data/CONTRIBUTING.md +1 -1
- data/Gemfile +7 -4
- data/Guardfile +1 -0
- data/README.md +13 -18
- data/Rakefile +22 -18
- data/docs/cookies.md +16 -2
- data/docs/per_action_configuration.md +28 -0
- data/lib/secure_headers/configuration.rb +9 -13
- data/lib/secure_headers/hash_helper.rb +2 -1
- data/lib/secure_headers/headers/clear_site_data.rb +4 -3
- data/lib/secure_headers/headers/content_security_policy.rb +52 -20
- data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
- data/lib/secure_headers/headers/cookie.rb +21 -3
- data/lib/secure_headers/headers/expect_certificate_transparency.rb +70 -0
- data/lib/secure_headers/headers/policy_management.rb +104 -49
- data/lib/secure_headers/headers/public_key_pins.rb +4 -3
- data/lib/secure_headers/headers/referrer_policy.rb +1 -0
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -0
- data/lib/secure_headers/headers/x_download_options.rb +2 -1
- data/lib/secure_headers/headers/x_frame_options.rb +1 -0
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +2 -1
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/middleware.rb +10 -9
- data/lib/secure_headers/railtie.rb +7 -6
- data/lib/secure_headers/utils/cookies_config.rb +13 -12
- data/lib/secure_headers/view_helper.rb +2 -1
- data/lib/secure_headers.rb +4 -1
- data/lib/tasks/tasks.rake +2 -1
- data/secure_headers.gemspec +13 -3
- data/spec/lib/secure_headers/configuration_spec.rb +9 -8
- data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +42 -25
- data/spec/lib/secure_headers/headers/cookie_spec.rb +38 -20
- data/spec/lib/secure_headers/headers/expect_certificate_spec.rb +42 -0
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +56 -10
- data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +7 -6
- data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +4 -3
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +5 -4
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +3 -2
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +4 -3
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +4 -3
- data/spec/lib/secure_headers/middleware_spec.rb +29 -21
- data/spec/lib/secure_headers/view_helpers_spec.rb +5 -4
- data/spec/lib/secure_headers_spec.rb +92 -120
- data/spec/spec_helper.rb +10 -22
- data/upgrading-to-4-0.md +55 -0
- metadata +16 -6
data/spec/spec_helper.rb
CHANGED
|
@@ -1,12 +1,11 @@
|
|
|
1
|
-
|
|
2
|
-
require
|
|
3
|
-
require
|
|
4
|
-
require
|
|
5
|
-
|
|
6
|
-
require 'coveralls'
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
require "rubygems"
|
|
3
|
+
require "rspec"
|
|
4
|
+
require "rack"
|
|
5
|
+
require "coveralls"
|
|
7
6
|
Coveralls.wear!
|
|
8
7
|
|
|
9
|
-
require File.join(File.dirname(__FILE__),
|
|
8
|
+
require File.join(File.dirname(__FILE__), "..", "lib", "secure_headers")
|
|
10
9
|
|
|
11
10
|
|
|
12
11
|
|
|
@@ -14,9 +13,9 @@ USER_AGENTS = {
|
|
|
14
13
|
edge: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
|
|
15
14
|
firefox: "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1",
|
|
16
15
|
firefox46: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0",
|
|
17
|
-
chrome:
|
|
18
|
-
ie:
|
|
19
|
-
opera:
|
|
16
|
+
chrome: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5",
|
|
17
|
+
ie: "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)",
|
|
18
|
+
opera: "Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00",
|
|
20
19
|
ios5: "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
|
|
21
20
|
ios6: "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
|
|
22
21
|
safari5: "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
|
|
@@ -34,6 +33,7 @@ def expect_default_values(hash)
|
|
|
34
33
|
expect(hash[SecureHeaders::XContentTypeOptions::HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::DEFAULT_VALUE)
|
|
35
34
|
expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
|
|
36
35
|
expect(hash[SecureHeaders::ReferrerPolicy::HEADER_NAME]).to be_nil
|
|
36
|
+
expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
module SecureHeaders
|
|
@@ -49,15 +49,3 @@ end
|
|
|
49
49
|
def reset_config
|
|
50
50
|
SecureHeaders::Configuration.clear_configurations
|
|
51
51
|
end
|
|
52
|
-
|
|
53
|
-
def capture_warning
|
|
54
|
-
begin
|
|
55
|
-
old_stderr = $stderr
|
|
56
|
-
$stderr = StringIO.new
|
|
57
|
-
yield
|
|
58
|
-
result = $stderr.string
|
|
59
|
-
ensure
|
|
60
|
-
$stderr = old_stderr
|
|
61
|
-
end
|
|
62
|
-
result
|
|
63
|
-
end
|
data/upgrading-to-4-0.md
ADDED
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
### Breaking Changes
|
|
2
|
+
|
|
3
|
+
The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break. This should not break brand new projects using secure_headers either.
|
|
4
|
+
|
|
5
|
+
## All cookies default to secure/httponly/SameSite=Lax
|
|
6
|
+
|
|
7
|
+
By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
|
|
8
|
+
|
|
9
|
+
```ruby
|
|
10
|
+
# specific opt outs
|
|
11
|
+
config.cookies = {
|
|
12
|
+
secure: OPT_OUT,
|
|
13
|
+
httponly: OPT_OUT,
|
|
14
|
+
samesite: OPT_OUT,
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
# nuclear option, just make things work again
|
|
18
|
+
config.cookies = OPT_OUT
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
## script_src must be set
|
|
22
|
+
|
|
23
|
+
Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
|
|
24
|
+
|
|
25
|
+
However, sometimes you really don't need a `script-src` e.g. API responses (`default-src 'none'`) so you can set `script_src: SecureHeaders::OPT_OUT` to work around this.
|
|
26
|
+
|
|
27
|
+
## Default Content Security Policy
|
|
28
|
+
|
|
29
|
+
The default CSP has changed to be more universal without sacrificing too much security.
|
|
30
|
+
|
|
31
|
+
* Flash/Java disabled by default
|
|
32
|
+
* `img-src` allows data: images and favicons (among others)
|
|
33
|
+
* `style-src` allows inline CSS by default (most find it impossible/impractical to remove inline content today)
|
|
34
|
+
* `form-action` (not governed by `default-src`, practically treated as `*`) is set to `'self'`
|
|
35
|
+
|
|
36
|
+
Previously, the default CSP was:
|
|
37
|
+
|
|
38
|
+
`Content-Security-Policy: default-src 'self'`
|
|
39
|
+
|
|
40
|
+
The new default policy is:
|
|
41
|
+
|
|
42
|
+
`default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:`
|
|
43
|
+
|
|
44
|
+
## CSP configuration
|
|
45
|
+
|
|
46
|
+
* Setting `report_only: true` in a CSP config will raise an error. Instead, set `csp_report_only`.
|
|
47
|
+
* Setting `frame_src` and `child_src` when values don't match will raise an error. Just use `frame_src`.
|
|
48
|
+
|
|
49
|
+
## config.secure_cookies removed
|
|
50
|
+
|
|
51
|
+
Use `config.cookies` instead.
|
|
52
|
+
|
|
53
|
+
## Supported ruby versions
|
|
54
|
+
|
|
55
|
+
We've dropped support for ruby versions <= 2.2. Sorry.
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 4.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-09-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -30,14 +30,14 @@ dependencies:
|
|
|
30
30
|
requirements:
|
|
31
31
|
- - ">="
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version:
|
|
33
|
+
version: 0.15.0
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version:
|
|
40
|
+
version: 0.15.0
|
|
41
41
|
description: Manages application of security headers with many safe defaults.
|
|
42
42
|
email:
|
|
43
43
|
- neil.matatall@gmail.com
|
|
@@ -49,6 +49,7 @@ files:
|
|
|
49
49
|
- ".github/PULL_REQUEST_TEMPLATE.md"
|
|
50
50
|
- ".gitignore"
|
|
51
51
|
- ".rspec"
|
|
52
|
+
- ".rubocop.yml"
|
|
52
53
|
- ".ruby-gemset"
|
|
53
54
|
- ".ruby-version"
|
|
54
55
|
- ".travis.yml"
|
|
@@ -73,6 +74,7 @@ files:
|
|
|
73
74
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
74
75
|
- lib/secure_headers/headers/content_security_policy_config.rb
|
|
75
76
|
- lib/secure_headers/headers/cookie.rb
|
|
77
|
+
- lib/secure_headers/headers/expect_certificate_transparency.rb
|
|
76
78
|
- lib/secure_headers/headers/policy_management.rb
|
|
77
79
|
- lib/secure_headers/headers/public_key_pins.rb
|
|
78
80
|
- lib/secure_headers/headers/referrer_policy.rb
|
|
@@ -92,6 +94,7 @@ files:
|
|
|
92
94
|
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
|
93
95
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
94
96
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
97
|
+
- spec/lib/secure_headers/headers/expect_certificate_spec.rb
|
|
95
98
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
|
96
99
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
|
97
100
|
- spec/lib/secure_headers/headers/referrer_policy_spec.rb
|
|
@@ -106,11 +109,17 @@ files:
|
|
|
106
109
|
- spec/lib/secure_headers_spec.rb
|
|
107
110
|
- spec/spec_helper.rb
|
|
108
111
|
- upgrading-to-3-0.md
|
|
112
|
+
- upgrading-to-4-0.md
|
|
109
113
|
homepage: https://github.com/twitter/secureheaders
|
|
110
114
|
licenses:
|
|
111
115
|
- Apache Public License 2.0
|
|
112
116
|
metadata: {}
|
|
113
|
-
post_install_message:
|
|
117
|
+
post_install_message: |2+
|
|
118
|
+
|
|
119
|
+
**********
|
|
120
|
+
:wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
|
|
121
|
+
**********
|
|
122
|
+
|
|
114
123
|
rdoc_options: []
|
|
115
124
|
require_paths:
|
|
116
125
|
- lib
|
|
@@ -126,7 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
126
135
|
version: '0'
|
|
127
136
|
requirements: []
|
|
128
137
|
rubyforge_project:
|
|
129
|
-
rubygems_version: 2.
|
|
138
|
+
rubygems_version: 2.6.11
|
|
130
139
|
signing_key:
|
|
131
140
|
specification_version: 4
|
|
132
141
|
summary: Add easily configured security headers to responses including content-security-policy,
|
|
@@ -136,6 +145,7 @@ test_files:
|
|
|
136
145
|
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
|
137
146
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
138
147
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
148
|
+
- spec/lib/secure_headers/headers/expect_certificate_spec.rb
|
|
139
149
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
|
140
150
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
|
141
151
|
- spec/lib/secure_headers/headers/referrer_policy_spec.rb
|