secure_headers 3.7.0 → 4.0.0.alpha01
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rspec +1 -0
- data/.rubocop.yml +3 -0
- data/.ruby-version +1 -1
- data/.travis.yml +8 -6
- data/CHANGELOG.md +2 -10
- data/CONTRIBUTING.md +1 -1
- data/Gemfile +7 -4
- data/Guardfile +1 -0
- data/README.md +4 -24
- data/Rakefile +22 -18
- data/docs/cookies.md +16 -2
- data/lib/secure_headers/configuration.rb +6 -16
- data/lib/secure_headers/hash_helper.rb +2 -1
- data/lib/secure_headers/headers/clear_site_data.rb +2 -1
- data/lib/secure_headers/headers/content_security_policy.rb +7 -12
- data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
- data/lib/secure_headers/headers/cookie.rb +21 -3
- data/lib/secure_headers/headers/policy_management.rb +10 -2
- data/lib/secure_headers/headers/public_key_pins.rb +4 -3
- data/lib/secure_headers/headers/referrer_policy.rb +1 -0
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -0
- data/lib/secure_headers/headers/x_download_options.rb +2 -1
- data/lib/secure_headers/headers/x_frame_options.rb +1 -0
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +2 -1
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/middleware.rb +10 -9
- data/lib/secure_headers/railtie.rb +7 -6
- data/lib/secure_headers/utils/cookies_config.rb +13 -12
- data/lib/secure_headers/view_helper.rb +2 -1
- data/lib/secure_headers.rb +1 -2
- data/lib/tasks/tasks.rake +2 -1
- data/secure_headers.gemspec +13 -3
- data/spec/lib/secure_headers/configuration_spec.rb +9 -8
- data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +11 -16
- data/spec/lib/secure_headers/headers/cookie_spec.rb +38 -20
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +20 -10
- data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +7 -6
- data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +4 -3
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +5 -4
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +3 -2
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +4 -3
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +4 -3
- data/spec/lib/secure_headers/middleware_spec.rb +18 -21
- data/spec/lib/secure_headers/view_helpers_spec.rb +5 -4
- data/spec/lib/secure_headers_spec.rb +92 -120
- data/spec/spec_helper.rb +9 -23
- data/upgrading-to-4-0.md +49 -0
- metadata +15 -11
- data/lib/secure_headers/headers/expect_certificate_transparency.rb +0 -70
- data/spec/lib/secure_headers/headers/expect_certificate_spec.rb +0 -42
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 4.0.0.alpha01
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-07-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -30,14 +30,14 @@ dependencies:
|
|
|
30
30
|
requirements:
|
|
31
31
|
- - ">="
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version:
|
|
33
|
+
version: 0.15.0
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version:
|
|
40
|
+
version: 0.15.0
|
|
41
41
|
description: Manages application of security headers with many safe defaults.
|
|
42
42
|
email:
|
|
43
43
|
- neil.matatall@gmail.com
|
|
@@ -49,6 +49,7 @@ files:
|
|
|
49
49
|
- ".github/PULL_REQUEST_TEMPLATE.md"
|
|
50
50
|
- ".gitignore"
|
|
51
51
|
- ".rspec"
|
|
52
|
+
- ".rubocop.yml"
|
|
52
53
|
- ".ruby-gemset"
|
|
53
54
|
- ".ruby-version"
|
|
54
55
|
- ".travis.yml"
|
|
@@ -73,7 +74,6 @@ files:
|
|
|
73
74
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
74
75
|
- lib/secure_headers/headers/content_security_policy_config.rb
|
|
75
76
|
- lib/secure_headers/headers/cookie.rb
|
|
76
|
-
- lib/secure_headers/headers/expect_certificate_transparency.rb
|
|
77
77
|
- lib/secure_headers/headers/policy_management.rb
|
|
78
78
|
- lib/secure_headers/headers/public_key_pins.rb
|
|
79
79
|
- lib/secure_headers/headers/referrer_policy.rb
|
|
@@ -93,7 +93,6 @@ files:
|
|
|
93
93
|
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
|
94
94
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
95
95
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
96
|
-
- spec/lib/secure_headers/headers/expect_certificate_spec.rb
|
|
97
96
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
|
98
97
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
|
99
98
|
- spec/lib/secure_headers/headers/referrer_policy_spec.rb
|
|
@@ -108,11 +107,17 @@ files:
|
|
|
108
107
|
- spec/lib/secure_headers_spec.rb
|
|
109
108
|
- spec/spec_helper.rb
|
|
110
109
|
- upgrading-to-3-0.md
|
|
110
|
+
- upgrading-to-4-0.md
|
|
111
111
|
homepage: https://github.com/twitter/secureheaders
|
|
112
112
|
licenses:
|
|
113
113
|
- Apache Public License 2.0
|
|
114
114
|
metadata: {}
|
|
115
|
-
post_install_message:
|
|
115
|
+
post_install_message: |2+
|
|
116
|
+
|
|
117
|
+
**********
|
|
118
|
+
:wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
|
|
119
|
+
**********
|
|
120
|
+
|
|
116
121
|
rdoc_options: []
|
|
117
122
|
require_paths:
|
|
118
123
|
- lib
|
|
@@ -123,12 +128,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
123
128
|
version: '0'
|
|
124
129
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
125
130
|
requirements:
|
|
126
|
-
- - "
|
|
131
|
+
- - ">"
|
|
127
132
|
- !ruby/object:Gem::Version
|
|
128
|
-
version:
|
|
133
|
+
version: 1.3.1
|
|
129
134
|
requirements: []
|
|
130
135
|
rubyforge_project:
|
|
131
|
-
rubygems_version: 2.
|
|
136
|
+
rubygems_version: 2.6.11
|
|
132
137
|
signing_key:
|
|
133
138
|
specification_version: 4
|
|
134
139
|
summary: Add easily configured security headers to responses including content-security-policy,
|
|
@@ -138,7 +143,6 @@ test_files:
|
|
|
138
143
|
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
|
139
144
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
140
145
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
141
|
-
- spec/lib/secure_headers/headers/expect_certificate_spec.rb
|
|
142
146
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
|
143
147
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
|
144
148
|
- spec/lib/secure_headers/headers/referrer_policy_spec.rb
|
|
@@ -1,70 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
module SecureHeaders
|
|
3
|
-
class ExpectCertificateTransparencyConfigError < StandardError; end
|
|
4
|
-
|
|
5
|
-
class ExpectCertificateTransparency
|
|
6
|
-
HEADER_NAME = "Expect-CT".freeze
|
|
7
|
-
CONFIG_KEY = :expect_certificate_transparency
|
|
8
|
-
INVALID_CONFIGURATION_ERROR = "config must be a hash.".freeze
|
|
9
|
-
INVALID_ENFORCE_VALUE_ERROR = "enforce must be a boolean".freeze
|
|
10
|
-
REQUIRED_MAX_AGE_ERROR = "max-age is a required directive.".freeze
|
|
11
|
-
INVALID_MAX_AGE_ERROR = "max-age must be a number.".freeze
|
|
12
|
-
|
|
13
|
-
class << self
|
|
14
|
-
# Public: Generate a Expect-CT header.
|
|
15
|
-
#
|
|
16
|
-
# Returns nil if not configured, returns header name and value if
|
|
17
|
-
# configured.
|
|
18
|
-
def make_header(config)
|
|
19
|
-
return if config.nil?
|
|
20
|
-
|
|
21
|
-
header = new(config)
|
|
22
|
-
[HEADER_NAME, header.value]
|
|
23
|
-
end
|
|
24
|
-
|
|
25
|
-
def validate_config!(config)
|
|
26
|
-
return if config.nil? || config == OPT_OUT
|
|
27
|
-
raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
|
|
28
|
-
|
|
29
|
-
unless [true, false, nil].include?(config[:enforce])
|
|
30
|
-
raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
|
|
31
|
-
end
|
|
32
|
-
|
|
33
|
-
if !config[:max_age]
|
|
34
|
-
raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
|
|
35
|
-
elsif config[:max_age].to_s !~ /\A\d+\z/
|
|
36
|
-
raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
|
|
37
|
-
end
|
|
38
|
-
end
|
|
39
|
-
end
|
|
40
|
-
|
|
41
|
-
def initialize(config)
|
|
42
|
-
@enforced = config.fetch(:enforce, nil)
|
|
43
|
-
@max_age = config.fetch(:max_age, nil)
|
|
44
|
-
@report_uri = config.fetch(:report_uri, nil)
|
|
45
|
-
end
|
|
46
|
-
|
|
47
|
-
def value
|
|
48
|
-
header_value = [
|
|
49
|
-
enforced_directive,
|
|
50
|
-
max_age_directive,
|
|
51
|
-
report_uri_directive
|
|
52
|
-
].compact.join("; ").strip
|
|
53
|
-
end
|
|
54
|
-
|
|
55
|
-
def enforced_directive
|
|
56
|
-
# Unfortunately `if @enforced` isn't enough here in case someone
|
|
57
|
-
# passes in a random string so let's be specific with it to prevent
|
|
58
|
-
# accidental enforcement.
|
|
59
|
-
"enforce" if @enforced == true
|
|
60
|
-
end
|
|
61
|
-
|
|
62
|
-
def max_age_directive
|
|
63
|
-
"max-age=#{@max_age}" if @max_age
|
|
64
|
-
end
|
|
65
|
-
|
|
66
|
-
def report_uri_directive
|
|
67
|
-
"report-uri=\"#{@report_uri}\"" if @report_uri
|
|
68
|
-
end
|
|
69
|
-
end
|
|
70
|
-
end
|
|
@@ -1,42 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
require "spec_helper"
|
|
3
|
-
|
|
4
|
-
module SecureHeaders
|
|
5
|
-
describe ExpectCertificateTransparency do
|
|
6
|
-
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce; max-age=1234") }
|
|
7
|
-
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: false).value).to eq("max-age=1234") }
|
|
8
|
-
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: "yolocopter").value).to eq("max-age=1234") }
|
|
9
|
-
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234; report-uri=\"https://report-uri.io/expect-ct\"") }
|
|
10
|
-
specify do
|
|
11
|
-
config = { enforce: true, max_age: 1234, report_uri: "https://report-uri.io/expect-ct" }
|
|
12
|
-
header_value = "enforce; max-age=1234; report-uri=\"https://report-uri.io/expect-ct\""
|
|
13
|
-
expect(ExpectCertificateTransparency.new(config).value).to eq(header_value)
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
context "with an invalid configuration" do
|
|
17
|
-
it "raises an exception when configuration isn't a hash" do
|
|
18
|
-
expect do
|
|
19
|
-
ExpectCertificateTransparency.validate_config!(%w(a))
|
|
20
|
-
end.to raise_error(ExpectCertificateTransparencyConfigError)
|
|
21
|
-
end
|
|
22
|
-
|
|
23
|
-
it "raises an exception when max-age is not provided" do
|
|
24
|
-
expect do
|
|
25
|
-
ExpectCertificateTransparency.validate_config!(foo: "bar")
|
|
26
|
-
end.to raise_error(ExpectCertificateTransparencyConfigError)
|
|
27
|
-
end
|
|
28
|
-
|
|
29
|
-
it "raises an exception with an invalid max-age" do
|
|
30
|
-
expect do
|
|
31
|
-
ExpectCertificateTransparency.validate_config!(max_age: "abc123")
|
|
32
|
-
end.to raise_error(ExpectCertificateTransparencyConfigError)
|
|
33
|
-
end
|
|
34
|
-
|
|
35
|
-
it "raises an exception with an invalid enforce value" do
|
|
36
|
-
expect do
|
|
37
|
-
ExpectCertificateTransparency.validate_config!(enforce: "brokenstring")
|
|
38
|
-
end.to raise_error(ExpectCertificateTransparencyConfigError)
|
|
39
|
-
end
|
|
40
|
-
end
|
|
41
|
-
end
|
|
42
|
-
end
|