secure_headers 3.7.2 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c119abbad46d190ddf82e5c9868e0b80e300676a
-  data.tar.gz: 891a862a3adfe690765bae7a0a3a68d31aa3e2ea
+  metadata.gz: de4e0f18558ac4a65a9983f56e4dd65ca95e5f82
+  data.tar.gz: 3c16a5bdeec36aab812bcbfbbdba544b969c3a33
 SHA512:
-  metadata.gz: 3d4898ed4bc2aada51f79b6aad95a62a5f8aa45309ab0831c61b8dabacd5af749fe513d495a35186532e68466ff21bd8b51d49c0d0461fc4fa788adc43723bce
-  data.tar.gz: cf29ea5654f024321177cb81ed8eaec9ea0a910bd665ba0281590584108e74095afc69edc5c8b43a31f3ec5690370f10d0f98bb1b38269cdeda78cd4a6f0a3a3
+  metadata.gz: 14f3bc42066b1b4bd6044b75a78818a6ce6edc60760e84af03d13623758a4d05b9397d0c4b4baa92c71d105e0334fa39ec56124c3014e8a63096236f9c6e6d51
+  data.tar.gz: f07cfc4d11b24a7d7ec1ad50b2fb756fd3a69c8558b922eb79daf35bbf5dc721c24ca27dfa8b5ca13865dc3345cb0162161f3c41fa04ffbff8c190908d8a7b32

data/.rspec

@@ -1,2 +1,3 @@
 --order rand
 --warnings
+--format progress

data/.rubocop.yml

@@ -0,0 +1,3 @@
+inherit_gem:
+  rubocop-github:
+    - config/default.yml

data/.ruby-version

@@ -1 +1 @@
-2.3.3
+2.4.1

data/.travis.yml

@@ -2,15 +2,17 @@ language: ruby
 
 rvm:
   - ruby-head
-  - 2.4.0
-  - 2.3.3
+  - 2.4.1
+  - 2.3.4
   - 2.2
-  - 2.1
-  - 2.0.0
-  - 1.9.3
-  - jruby-19mode
   - jruby-head
 
+env:
+  - SUITE=rspec spec
+  - SUITE=rubocop
+
+script: bundle exec $SUITE
+
 matrix:
   allow_failures:
     - rvm: jruby-head

data/CHANGELOG.md

@@ -1,6 +1,6 @@
-## 3.7.2
+## 4.x
 
-- Adds support for `worker-src` CSP directive to 3.x line (https://github.com/twitter/secureheaders/pull/364)
+- See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
 
 ## 3.7.1
 
@@ -14,10 +14,6 @@ Adds support for the `Expect-CT` header (@jacobbednarz: https://github.com/twitt
 
 Actually set manifest-src when configured. https://github.com/twitter/secureheaders/pull/339 Thanks @carlosantoniodasilva!
 
-## 3.6.6
-
-wat?
-
 ## 3.6.5
 
 Update clear-site-data header to use current format specified by the specification.

data/CONTRIBUTING.md

@@ -30,7 +30,7 @@ Here are a few things you can do that will increase the likelihood of your pull
 0. Ensure CI is green
 0. Pull the latest code
 0. Increment the version
-0. Run `gem build darrrr.gemspec`
+0. Run `gem build secure_headers.gemspec`
 0. Bump the Gemfile and Gemfile.lock versions for an app which relies on this gem
 0. Test behavior locally, branch deploy, whatever needs to happen
 0. Run `bundle exec rake release`

data/Gemfile

@@ -1,19 +1,22 @@
+# frozen_string_literal: true
 source "https://rubygems.org"
 
 gemspec
 
 group :test do
-  gem "tins", "~> 1.6.0" # 1.7 requires ruby 2.0
-  gem "pry-nav"
+  gem "coveralls"
   gem "json", "~> 1"
+  gem "pry-nav"
   gem "rack", "~> 1"
   gem "rspec"
-  gem "coveralls"
+  gem "rubocop", "~> 0.47.0"
+  gem "rubocop-github"
   gem "term-ansicolor", "< 1.4"
+  gem "tins", "~> 1.6.0" # 1.7 requires ruby 2.0
 end
 
 group :guard do
-  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22]
   gem "growl"
+  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
   gem "rb-fsevent"
 end

data/Guardfile

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 guard :rspec, cmd: "bundle exec rspec", all_on_start: true, all_after_pass: true do
   require "guard/rspec/dsl"
   dsl = Guard::RSpec::Dsl.new(self)

data/README.md

@@ -1,9 +1,10 @@
 # Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
 
+**master represents the unreleased 4.x line**. See the [upgrading to 4.x doc](upgrading-to-4-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
 
-**The 3.x branch was recently merged**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
+**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
 
-**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be maintained**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
+**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
 
 The gem will automatically apply several headers that are related to security.  This includes:
 - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
@@ -54,6 +55,8 @@ If you do not supply a `default` configuration, exceptions will be raised. If yo
 
 All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely.
 
+**Word of caution:**  The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements. 
+
 ```ruby
 SecureHeaders::Configuration.default do |config|
   config.cookies = {
@@ -83,8 +86,7 @@ SecureHeaders::Configuration.default do |config|
     report_uri: "https://report-uri.io/example-ct"
   }
   config.csp = {
-    # "meta" values. these will shaped the header, but the values are not included in the header.
-    # report_only: true,      # default: false [DEPRECATED from 3.5.0: instead, configure csp_report_only]
+    # "meta" values. these will shape the header, but the values are not included in the header.
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
 
     # directive values: these values will directly translate into source directives
@@ -100,10 +102,10 @@ SecureHeaders::Configuration.default do |config|
     manifest_src: %w('self'),
     media_src: %w(utoob.com),
     object_src: %w('self'),
+    sandbox: true, # true and [] will set a maximally restrictive setting
     plugin_types: %w(application/x-shockwave-flash),
     script_src: %w('self'),
     style_src: %w('unsafe-inline'),
-    worker_src: %w('self'),
     upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
     report_uri: %w(https://report-uri.io/example-csp)
   }
@@ -139,20 +141,6 @@ X-Permitted-Cross-Domain-Policies: none
 X-Xss-Protection: 1; mode=block
 ```
 
-### Default CSP
-
-By default, the above CSP will be applied to all requests. If you **only** want to set a Report-Only header, opt-out of the default enforced header for clarity. The configuration will assume that if you only supply `csp_report_only` that you intended to opt-out of `csp` but that's for the sake of backwards compatibility and it will be removed in the future.
-
-```ruby
-Configuration.default do |config|
-  config.csp = SecureHeaders::OPT_OUT # If this line is omitted, we will assume you meant to opt out.
-  config.csp_report_only = {
-    default_src: %w('self')
-  }
-end
-```
-
-
 ## Similar libraries
 
 * Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers)

data/Rakefile

@@ -1,28 +1,32 @@
 #!/usr/bin/env rake
-require 'bundler/gem_tasks'
-require 'rspec/core/rake_task'
-require 'net/http'
-require 'net/https'
+# frozen_string_literal: true
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "net/http"
+require "net/https"
 
-desc "Run RSpec"
-RSpec::Core::RakeTask.new do |t|
-  t.verbose = false
-  t.rspec_opts = "--format progress"
-end
-
-task default: :spec
+RSpec::Core::RakeTask.new
 
 begin
-  require 'rdoc/task'
+  require "rdoc/task"
 rescue LoadError
-  require 'rdoc/rdoc'
-  require 'rake/rdoctask'
+  require "rdoc/rdoc"
+  require "rake/rdoctask"
   RDoc::Task = Rake::RDocTask
 end
 
+begin
+  require "rubocop/rake_task"
+  RuboCop::RakeTask.new
+rescue LoadError
+  task(:rubocop) { $stderr.puts "RuboCop is disabled" }
+end
+
 RDoc::Task.new(:rdoc) do |rdoc|
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'SecureHeaders'
-  rdoc.options << '--line-numbers'
-  rdoc.rdoc_files.include('lib/**/*.rb')
+  rdoc.rdoc_dir = "rdoc"
+  rdoc.title    = "SecureHeaders"
+  rdoc.options << "--line-numbers"
+  rdoc.rdoc_files.include("lib/**/*.rb")
 end
+
+task default: [:spec, :rubocop]

data/docs/cookies.md

@@ -4,14 +4,28 @@ SecureHeaders supports `Secure`, `HttpOnly` and [`SameSite`](https://tools.ietf.
 
 __Note__: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests.
 
+#### Defaults
+
+By default, all cookies will get both `Secure`, `HttpOnly`, and `SameSite=Lax`.
+
+```ruby
+config.cookies = {
+  secure: true, # defaults to true but will be a no op on non-HTTPS requests
+  httponly: true, # defaults to true
+  samesite: {  # defaults to set `SameSite=Lax`
+    lax: true
+  }
+}
+```
+
 #### Boolean-based configuration
 
-Boolean-based configuration is intended to globally enable or disable a specific cookie attribute.
+Boolean-based configuration is intended to globally enable or disable a specific cookie attribute. *Note: As of 4.0, you must use OPT_OUT rather than false to opt out of the defaults.*
 
 ```ruby
 config.cookies = {
   secure: true, # mark all cookies as Secure
-  httponly: false, # do not mark any cookies as HttpOnly
+  httponly: OPT_OUT, # do not mark any cookies as HttpOnly
 }
 ```
 

data/docs/per_action_configuration.md

@@ -103,3 +103,31 @@ Content-Security-Policy: ...
   console.log("won't execute, not whitelisted")
 </script>
 ```
+
+## Clearing browser cache
+
+You can clear the browser cache after the logout request by using the following.
+
+``` ruby
+class ApplicationController < ActionController::Base
+  # Configuration override to send the Clear-Site-Data header.
+  SecureHeaders::Configuration.override(:clear_browser_cache) do |config|
+    config.clear_site_data = [
+      SecureHeaders::ClearSiteData::ALL_TYPES
+    ]
+  end
+
+
+  # Clears the browser's cache for browsers supporting the Clear-Site-Data
+  # header.
+  #
+  # Returns nothing.
+  def clear_browser_cache
+    SecureHeaders.use_secure_headers_override(request, :clear_browser_cache)
+  end
+end
+
+class SessionsController < ApplicationController
+  after_action  :clear_browser_cache, only: :destroy
+end
+```

data/lib/secure_headers/configuration.rb

@@ -1,4 +1,5 @@
-require 'yaml'
+# frozen_string_literal: true
+require "yaml"
 
 module SecureHeaders
   class Configuration
@@ -208,8 +209,7 @@ module SecureHeaders
     end
 
     def secure_cookies=(secure_cookies)
-      Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#secure_cookies=` is deprecated. Please use `#cookies=` to configure secure cookies instead."
-      @cookies = (@cookies || {}).merge(secure: secure_cookies)
+      raise ArgumentError, "#{Kernel.caller.first}: `#secure_cookies=` is no longer supported. Please use `#cookies=` to configure secure cookies instead."
     end
 
     def csp=(new_csp)
@@ -217,10 +217,8 @@ module SecureHeaders
         @csp = new_csp.dup
       else
         if new_csp[:report_only]
-          # Deprecated configuration implies that CSPRO should be set, CSP should not - so opt out
-          Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
-          @csp = OPT_OUT
-          self.csp_report_only = new_csp
+          # invalid configuration implies that CSPRO should be set, CSP should not - so opt out
+          raise ArgumentError, "#{Kernel.caller.first}: `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
         else
           @csp = ContentSecurityPolicyConfig.new(new_csp)
         end
@@ -247,11 +245,6 @@ module SecureHeaders
           end
         end
       end
-
-      if !@csp_report_only.opt_out? && @csp.to_h == ContentSecurityPolicyConfig::DEFAULT
-        Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#csp_report_only=` was configured before `#csp=`. It is assumed you intended to opt out of `#csp=` so be sure to add `config.csp = SecureHeaders::OPT_OUT` to your config. Ensure that #csp_report_only is configured after #csp="
-        @csp = OPT_OUT
-      end
     end
 
     protected

data/lib/secure_headers/hash_helper.rb

@@ -1,4 +1,5 @@
-require 'base64'
+# frozen_string_literal: true
+require "base64"
 
 module SecureHeaders
   module HashHelper

data/lib/secure_headers/headers/clear_site_data.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class ClearSiteDataConfigError < StandardError; end
   class ClearSiteData
@@ -7,8 +8,8 @@ module SecureHeaders
     CACHE = "cache".freeze
     COOKIES = "cookies".freeze
     STORAGE = "storage".freeze
-    EXECTION_CONTEXTS = "executionContexts".freeze
-    ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECTION_CONTEXTS]
+    EXECUTION_CONTEXTS = "executionContexts".freeze
+    ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
 
     CONFIG_KEY = :clear_site_data
 
@@ -16,7 +17,7 @@ module SecureHeaders
       # Public: make an Clear-Site-Data header name, value pair
       #
       # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config=nil)
+      def make_header(config = nil)
         case config
         when nil, OPT_OUT, []
           # noop

data/lib/secure_headers/headers/content_security_policy.rb

@@ -1,6 +1,7 @@
-require_relative 'policy_management'
-require_relative 'content_security_policy_config'
-require 'useragent'
+# frozen_string_literal: true
+require_relative "policy_management"
+require_relative "content_security_policy_config"
+require "useragent"
 
 module SecureHeaders
   class ContentSecurityPolicy
@@ -54,18 +55,12 @@ module SecureHeaders
 
     private
 
-    # frame-src is deprecated, child-src is being implemented. They are
-    # very similar and in most cases, the same value can be used for both.
     def normalize_child_frame_src
       if @config.frame_src && @config.child_src && @config.frame_src != @config.child_src
-        Kernel.warn("#{Kernel.caller.first}: [DEPRECATION] both :child_src and :frame_src supplied and do not match. This can lead to inconsistent behavior across browsers.")
+        raise ArgumentError, "#{Kernel.caller.first}: both :child_src and :frame_src supplied and do not match. This can lead to inconsistent behavior across browsers."
       end
 
-      if supported_directives.include?(:child_src)
-        @config.child_src || @config.frame_src
-      else
-        @config.frame_src || @config.child_src
-      end
+      @config.frame_src || @config.child_src
     end
 
     # Private: converts the config object into a string representing a policy.
@@ -141,9 +136,11 @@ module SecureHeaders
       else
         @config.directive_value(directive)
       end
-      return unless source_list && source_list.any?
-      normalized_source_list = minify_source_list(directive, source_list)
-      [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
+
+      if source_list != OPT_OUT && source_list && source_list.any?
+        normalized_source_list = minify_source_list(directive, source_list)
+        [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
+      end
     end
 
     # If a directive contains *, all other values are omitted.
@@ -264,7 +261,7 @@ module SecureHeaders
     end
 
     def symbol_to_hyphen_case(sym)
-      sym.to_s.tr('_', '-')
+      sym.to_s.tr("_", "-")
     end
   end
 end

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   module DynamicConfig
     def self.included(base)
@@ -37,7 +38,6 @@ module SecureHeaders
       @script_src = nil
       @style_nonce = nil
       @style_src = nil
-      @worker_src = nil
       @upgrade_insecure_requests = nil
 
       from_hash(hash)

data/lib/secure_headers/headers/cookie.rb

@@ -1,5 +1,7 @@
-require 'cgi'
-require 'secure_headers/utils/cookies_config'
+# frozen_string_literal: true
+require "cgi"
+require "secure_headers/utils/cookies_config"
+
 
 module SecureHeaders
   class CookiesConfigError < StandardError; end
@@ -13,8 +15,18 @@ module SecureHeaders
 
     attr_reader :raw_cookie, :config
 
+    COOKIE_DEFAULTS = {
+      httponly: true,
+      secure: true,
+      samesite: { lax: true },
+    }.freeze
+
     def initialize(cookie, config)
       @raw_cookie = cookie
+      unless config == OPT_OUT
+        config ||= {}
+        config = COOKIE_DEFAULTS.merge(config)
+      end
       @config = config
       @attributes = {
         httponly: nil,
@@ -56,6 +68,7 @@ module SecureHeaders
     end
 
     def flag_cookie?(attribute)
+      return false if config == OPT_OUT
       case config[attribute]
       when TrueClass
         true
@@ -85,6 +98,7 @@ module SecureHeaders
     end
 
     def flag_samesite?
+      return false if config == OPT_OUT || config[:samesite] == OPT_OUT
       flag_samesite_lax? || flag_samesite_strict?
     end
 
@@ -99,6 +113,10 @@ module SecureHeaders
     def flag_samesite_enforcement?(mode)
       return unless config[:samesite]
 
+      if config[:samesite].is_a?(TrueClass) && mode == :lax
+        return true
+      end
+
       case config[:samesite][mode]
       when Hash
         conditionally_flag?(config[:samesite][mode])
@@ -113,7 +131,7 @@ module SecureHeaders
       return unless cookie
 
       cookie.split(/[;,]\s?/).each do |pairs|
-        name, values = pairs.split('=',2)
+        name, values = pairs.split("=", 2)
         name = CGI.unescape(name)
 
         attribute = name.downcase.to_sym

data/lib/secure_headers/headers/expect_certificate_transparency.rb

@@ -45,7 +45,7 @@ module SecureHeaders
     end
 
     def value
-      header_value = [
+      [
         enforced_directive,
         max_age_directive,
         report_uri_directive

data/lib/secure_headers/headers/policy_management.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   module PolicyManagement
     def self.included(base)
@@ -5,8 +6,14 @@ module SecureHeaders
     end
 
     MODERN_BROWSERS = %w(Chrome Opera Firefox)
-    DEFAULT_VALUE = "default-src https:".freeze
-    DEFAULT_CONFIG = { default_src: %w(https:) }.freeze
+    DEFAULT_CONFIG = {
+      default_src: %w(https:),
+      img_src: %w(https: data: 'self'),
+      object_src: %w('none'),
+      script_src: %w(https:),
+      style_src: %w('self' 'unsafe-inline' https:),
+      form_action: %w('self')
+    }.freeze
     DATA_PROTOCOL = "data:".freeze
     BLOB_PROTOCOL = "blob:".freeze
     SELF = "'self'".freeze
@@ -65,13 +72,10 @@ module SecureHeaders
     BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
     MANIFEST_SRC = :manifest_src
     UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
-    WORKER_SRC = :worker_src
-
     DIRECTIVES_3_0 = [
       DIRECTIVES_2_0,
       BLOCK_ALL_MIXED_CONTENT,
       MANIFEST_SRC,
-      WORKER_SRC,
       UPGRADE_INSECURE_REQUESTS
     ].flatten.freeze
 
@@ -82,7 +86,6 @@ module SecureHeaders
     FIREFOX_UNSUPPORTED_DIRECTIVES = [
       BLOCK_ALL_MIXED_CONTENT,
       CHILD_SRC,
-      WORKER_SRC,
       PLUGIN_TYPES
     ].freeze
 
@@ -92,7 +95,6 @@ module SecureHeaders
 
     FIREFOX_46_UNSUPPORTED_DIRECTIVES = [
       BLOCK_ALL_MIXED_CONTENT,
-      WORKER_SRC,
       PLUGIN_TYPES
     ].freeze
 
@@ -146,7 +148,6 @@ module SecureHeaders
       SANDBOX                   => :sandbox_list,
       SCRIPT_SRC                => :source_list,
       STYLE_SRC                 => :source_list,
-      WORKER_SRC                => :source_list,
       UPGRADE_INSECURE_REQUESTS => :boolean
     }.freeze
 
@@ -205,6 +206,10 @@ module SecureHeaders
       def validate_config!(config)
         return if config.nil? || config.opt_out?
         raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
+        if config.directive_value(:script_src).nil?
+          raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous. Use `script_src: OPT_OUT` to override")
+        end
+
         ContentSecurityPolicyConfig.attrs.each do |key|
           value = config.directive_value(key)
           next unless value
@@ -389,6 +394,7 @@ module SecureHeaders
       end
 
       def ensure_valid_sources!(directive, source_expression)
+        return if source_expression == OPT_OUT
         source_expression.each do |expression|
           if ContentSecurityPolicy::DEPRECATED_SOURCE_VALUES.include?(expression)
             raise ContentSecurityPolicyConfigError.new("#{directive} contains an invalid keyword source (#{expression}). This value must be single quoted.")

data/lib/secure_headers/headers/public_key_pins.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class PublicKeyPinsConfigError < StandardError; end
   class PublicKeyPins
@@ -54,7 +55,7 @@ module SecureHeaders
         pin_directives,
         report_uri_directive,
         subdomain_directive
-      ].compact.join('; ').strip
+      ].compact.join("; ").strip
     end
 
     def pin_directives
@@ -63,7 +64,7 @@ module SecureHeaders
         pin.map do |token, hash|
           "pin-#{token}=\"#{hash}\"" if HASH_ALGORITHMS.include?(token)
         end
-      end.join('; ')
+      end.join("; ")
     end
 
     def max_age_directive
@@ -75,7 +76,7 @@ module SecureHeaders
     end
 
     def subdomain_directive
-      @include_subdomains ? 'includeSubDomains' : nil
+      @include_subdomains ? "includeSubDomains" : nil
     end
   end
 end

data/lib/secure_headers/headers/referrer_policy.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class ReferrerPolicyConfigError < StandardError; end
   class ReferrerPolicy

data/lib/secure_headers/headers/strict_transport_security.rb

@@ -1,8 +1,9 @@
+# frozen_string_literal: true
 module SecureHeaders
   class STSConfigError < StandardError; end
 
   class StrictTransportSecurity
-    HEADER_NAME = 'Strict-Transport-Security'.freeze
+    HEADER_NAME = "Strict-Transport-Security".freeze
     HSTS_MAX_AGE = "631138519"
     DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
     VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i

data/lib/secure_headers/headers/x_content_type_options.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class XContentTypeOptionsConfigError < StandardError; end
 

data/lib/secure_headers/headers/x_download_options.rb

@@ -1,8 +1,9 @@
+# frozen_string_literal: true
 module SecureHeaders
   class XDOConfigError < StandardError; end
   class XDownloadOptions
     HEADER_NAME = "X-Download-Options".freeze
-    DEFAULT_VALUE = 'noopen'
+    DEFAULT_VALUE = "noopen"
     CONFIG_KEY = :x_download_options
 
     class << self

data/lib/secure_headers/headers/x_frame_options.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class XFOConfigError < StandardError; end
   class XFrameOptions