secure_headers 3.9.0 → 4.0.0.alpha01

data/lib/secure_headers/middleware.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class Middleware
     HPKP_SAME_HOST_WARNING = "[WARNING] HPKP report host should not be the same as the request host. See https://github.com/twitter/secureheaders/issues/166"
@@ -25,11 +26,11 @@ module SecureHeaders
 
     # inspired by https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194
     def flag_cookies!(headers, config)
-      if cookies = headers['Set-Cookie']
+      if cookies = headers["Set-Cookie"]
         # Support Rails 2.3 / Rack 1.1 arrays as headers
         cookies = cookies.split("\n") unless cookies.is_a?(Array)
 
-        headers['Set-Cookie'] = cookies.map do |cookie|
+        headers["Set-Cookie"] = cookies.map do |cookie|
           SecureHeaders::Cookie.new(cookie, config).to_s
         end.join("\n")
       end
@@ -37,8 +38,8 @@ module SecureHeaders
 
     # disable Secure cookies for non-https requests
     def override_secure(env, config = {})
-      if scheme(env) != 'https'
-        config.merge!(secure: false)
+      if scheme(env) != "https"
+        config[:secure] = OPT_OUT
       end
 
       config
@@ -46,12 +47,12 @@ module SecureHeaders
 
     # derived from https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L119
     def scheme(env)
-      if env['HTTPS'] == 'on' || env['HTTP_X_SSL_REQUEST'] == 'on'
-        'https'
-      elsif env['HTTP_X_FORWARDED_PROTO']
-        env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
+      if env["HTTPS"] == "on" || env["HTTP_X_SSL_REQUEST"] == "on"
+        "https"
+      elsif env["HTTP_X_FORWARDED_PROTO"]
+        env["HTTP_X_FORWARDED_PROTO"].split(",")[0]
       else
-        env['rack.url_scheme']
+        env["rack.url_scheme"]
       end
     end
   end

data/lib/secure_headers/railtie.rb

@@ -1,20 +1,21 @@
+# frozen_string_literal: true
 # rails 3.1+
 if defined?(Rails::Railtie)
   module SecureHeaders
     class Railtie < Rails::Railtie
       isolate_namespace SecureHeaders if defined? isolate_namespace # rails 3.0
-      conflicting_headers = ['X-Frame-Options', 'X-XSS-Protection',
-                             'X-Permitted-Cross-Domain-Policies', 'X-Download-Options',
-                             'X-Content-Type-Options', 'Strict-Transport-Security',
-                             'Content-Security-Policy', 'Content-Security-Policy-Report-Only',
-                             'Public-Key-Pins', 'Public-Key-Pins-Report-Only', 'Referrer-Policy']
+      conflicting_headers = ["X-Frame-Options", "X-XSS-Protection",
+                             "X-Permitted-Cross-Domain-Policies", "X-Download-Options",
+                             "X-Content-Type-Options", "Strict-Transport-Security",
+                             "Content-Security-Policy", "Content-Security-Policy-Report-Only",
+                             "Public-Key-Pins", "Public-Key-Pins-Report-Only", "Referrer-Policy"]
 
       initializer "secure_headers.middleware" do
         Rails.application.config.middleware.insert_before 0, SecureHeaders::Middleware
       end
 
       rake_tasks do
-        load File.expand_path(File.join('..', '..', 'lib', 'tasks', 'tasks.rake'), File.dirname(__FILE__))
+        load File.expand_path(File.join("..", "..", "lib", "tasks", "tasks.rake"), File.dirname(__FILE__))
       end
 
       initializer "secure_headers.action_controller" do

data/lib/secure_headers/utils/cookies_config.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class CookiesConfig
 
@@ -11,9 +12,9 @@ module SecureHeaders
       return if config.nil? || config == SecureHeaders::OPT_OUT
 
       validate_config!
-      validate_secure_config! if config[:secure]
-      validate_httponly_config! if config[:httponly]
-      validate_samesite_config! if config[:samesite]
+      validate_secure_config! unless config[:secure].nil?
+      validate_httponly_config! unless config[:httponly].nil?
+      validate_samesite_config! unless config[:samesite].nil?
     end
 
     private
@@ -23,16 +24,17 @@ module SecureHeaders
     end
 
     def validate_secure_config!
-      validate_hash_or_boolean!(:secure)
+      validate_hash_or_true_or_opt_out!(:secure)
       validate_exclusive_use_of_hash_constraints!(config[:secure], :secure)
     end
 
     def validate_httponly_config!
-      validate_hash_or_boolean!(:httponly)
+      validate_hash_or_true_or_opt_out!(:httponly)
       validate_exclusive_use_of_hash_constraints!(config[:httponly], :httponly)
     end
 
     def validate_samesite_config!
+      return if config[:samesite] == OPT_OUT
       raise CookiesConfigError.new("samesite cookie config must be a hash") unless is_hash?(config[:samesite])
 
       validate_samesite_boolean_config!
@@ -41,30 +43,28 @@ module SecureHeaders
 
     # when configuring with booleans, only one enforcement is permitted
     def validate_samesite_boolean_config!
-      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && (config[:samesite].key?(:strict) || config[:samesite].key?(:none))
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax with strict or no enforcement is not permitted.")
-      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:none))
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure strict with lax or no enforcement is not permitted.")
-      elsif config[:samesite].key?(:none) && config[:samesite][:none].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:strict))
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure no enforcement with lax or strict is not permitted.")
+      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
+      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
       end
     end
 
     def validate_samesite_hash_config!
       # validate Hash-based samesite configuration
       if is_hash?(config[:samesite][:lax])
-        validate_exclusive_use_of_hash_constraints!(config[:samesite][:lax], 'samesite lax')
+        validate_exclusive_use_of_hash_constraints!(config[:samesite][:lax], "samesite lax")
 
         if is_hash?(config[:samesite][:strict])
-          validate_exclusive_use_of_hash_constraints!(config[:samesite][:strict], 'samesite strict')
+          validate_exclusive_use_of_hash_constraints!(config[:samesite][:strict], "samesite strict")
           validate_exclusive_use_of_samesite_enforcement!(:only)
           validate_exclusive_use_of_samesite_enforcement!(:except)
         end
       end
     end
 
-    def validate_hash_or_boolean!(attribute)
-      if !(is_hash?(config[attribute]) || is_boolean?(config[attribute]))
+    def validate_hash_or_true_or_opt_out!(attribute)
+      if !(is_hash?(config[attribute]) || is_true_or_opt_out?(config[attribute]))
         raise CookiesConfigError.new("#{attribute} cookie config must be a hash or boolean")
       end
     end
@@ -72,7 +72,6 @@ module SecureHeaders
     # validate exclusive use of only or except but not both at the same time
     def validate_exclusive_use_of_hash_constraints!(conf, attribute)
       return unless is_hash?(conf)
-
       if conf.key?(:only) && conf.key?(:except)
         raise CookiesConfigError.new("#{attribute} cookie config is invalid, simultaneous use of conditional arguments `only` and `except` is not permitted.")
       end
@@ -89,8 +88,8 @@ module SecureHeaders
       obj && obj.is_a?(Hash)
     end
 
-    def is_boolean?(obj)
-      obj && (obj.is_a?(TrueClass) || obj.is_a?(FalseClass))
+    def is_true_or_opt_out?(obj)
+      obj && (obj.is_a?(TrueClass) || obj == OPT_OUT)
     end
   end
 end

data/lib/secure_headers/view_helper.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   module ViewHelpers
     include SecureHeaders::HashHelper
@@ -75,7 +76,7 @@ module SecureHeaders
       end
 
       content = capture(&block)
-      file_path = File.join('app', 'views', self.instance_variable_get(:@virtual_path) + '.html.erb')
+      file_path = File.join("app", "views", self.instance_variable_get(:@virtual_path) + ".html.erb")
 
       if raise_error_on_unrecognized_hash
         hash_value = hash_source(content)

data/lib/tasks/tasks.rake

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx unless defined? INLINE_SCRIPT_REGEX
 INLINE_STYLE_REGEX = /(<style[^>]*>)(.*?)<\/style>/mx unless defined? INLINE_STYLE_REGEX
 INLINE_HASH_SCRIPT_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx unless defined? INLINE_HASH_SCRIPT_HELPER_REGEX
@@ -73,7 +74,7 @@ namespace :secure_headers do
       end
     end
 
-    File.open(SecureHeaders::Configuration::HASH_CONFIG_FILE, 'w') do |file|
+    File.open(SecureHeaders::Configuration::HASH_CONFIG_FILE, "w") do |file|
       file.write(script_hashes.to_yaml)
     end
 

data/secure_headers.gemspec

@@ -1,10 +1,11 @@
 # -*- encoding: utf-8 -*-
+# frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.9.0"
+  gem.version       = "4.0.0.alpha01"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
-  gem.description   = 'Manages application of security headers with many safe defaults.'
+  gem.description   = "Manages application of security headers with many safe defaults."
   gem.summary       = 'Add easily configured security headers to responses
     including content-security-policy, x-frame-options,
     strict-transport-security, etc.'
@@ -15,5 +16,14 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
   gem.add_development_dependency "rake"
-  gem.add_dependency "useragent"
+  gem.add_dependency "useragent", ">= 0.15.0"
+
+  # TODO: delete this after 4.1 is cut or a number of 4.0.x releases have occurred
+  gem.post_install_message = <<-POST_INSTALL
+
+**********
+:wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
+**********
+
+  POST_INSTALL
 end

data/spec/lib/secure_headers/configuration_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe Configuration do
@@ -70,7 +71,7 @@ module SecureHeaders
 
     it "allows you to override an override" do
       Configuration.override(:override) do |config|
-        config.csp = { default_src: %w('self')}
+        config.csp = { default_src: %w('self'), script_src: %w('self')}
       end
 
       Configuration.override(:second_override, :override) do |config|
@@ -78,17 +79,17 @@ module SecureHeaders
       end
 
       original_override = Configuration.get(:override)
-      expect(original_override.csp.to_h).to eq(default_src: %w('self'))
+      expect(original_override.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self'))
       override_config = Configuration.get(:second_override)
       expect(override_config.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self' example.org))
     end
 
     it "deprecates the secure_cookies configuration" do
-      expect(Kernel).to receive(:warn).with(/\[DEPRECATION\]/)
-
-      Configuration.default do |config|
-        config.secure_cookies = true
-      end
+      expect {
+        Configuration.default do |config|
+          config.secure_cookies = true
+        end
+      }.to raise_error(ArgumentError)
     end
   end
 end

data/spec/lib/secure_headers/headers/clear_site_data_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe ClearSiteData do

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe ContentSecurityPolicy do
@@ -24,17 +25,7 @@ module SecureHeaders
 
     describe "#value" do
       it "uses a safe but non-breaking default value" do
-        expect(ContentSecurityPolicy.new.value).to eq("default-src https:")
-      end
-
-      it "deprecates and escapes semicolons in directive source lists" do
-        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a ; in "google.com;script-src *;.;" which will raise an error in future versions. It has been replaced with a blank space.))
-        expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
-      end
-
-      it "deprecates and escapes semicolons in directive source lists" do
-        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a \n in "\\nfoo.com\\nhacked" which will raise an error in future versions. It has been replaced with a blank space.))
-        expect(ContentSecurityPolicy.new(frame_ancestors: ["\nfoo.com\nhacked"]).value).to eq("frame-ancestors  foo.com hacked")
+        expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
       end
 
       it "discards 'none' values if any other source expressions are present" do
@@ -66,7 +57,7 @@ module SecureHeaders
       end
 
       it "does not remove schemes when :preserve_schemes is true" do
-        csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), :preserve_schemes => true)
+        csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), preserve_schemes: true)
         expect(csp.value).to eq("default-src https://example.org")
       end
 
@@ -100,40 +91,15 @@ module SecureHeaders
         expect(csp.value).to eq("default-src example.org")
       end
 
-      it "creates maximally strict sandbox policy when passed no sandbox token values" do
-        csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: [])
-        expect(csp.value).to eq("default-src example.org; sandbox")
-      end
-
-      it "creates maximally strict sandbox policy when passed true" do
-        csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: true)
-        expect(csp.value).to eq("default-src example.org; sandbox")
-      end
-
-      it "creates sandbox policy when passed valid sandbox token values" do
-        csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: %w(allow-forms allow-scripts))
-        expect(csp.value).to eq("default-src example.org; sandbox allow-forms allow-scripts")
-      end
-
       it "does not emit a warning when using frame-src" do
         expect(Kernel).to_not receive(:warn)
         ContentSecurityPolicy.new(default_src: %w('self'), frame_src: %w('self')).value
       end
 
-      it "emits a warning when child-src and frame-src are supplied but are not equal" do
-        expect(Kernel).to receive(:warn).with(/both :child_src and :frame_src supplied and do not match./)
-        ContentSecurityPolicy.new(default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)).value
-      end
-
-      it "will still set inconsistent child/frame-src values to be less surprising" do
-        expect(Kernel).to receive(:warn).at_least(:once)
-        firefox = ContentSecurityPolicy.new({default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)}, USER_AGENTS[:firefox]).value
-        firefox_transitional = ContentSecurityPolicy.new({default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)}, USER_AGENTS[:firefox46]).value
-        expect(firefox).not_to eq(firefox_transitional)
-        expect(firefox).to match(/frame-src/)
-        expect(firefox).not_to match(/child-src/)
-        expect(firefox_transitional).to match(/child-src/)
-        expect(firefox_transitional).not_to match(/frame-src/)
+      it "raises an error when child-src and frame-src are supplied but are not equal" do
+        expect {
+          ContentSecurityPolicy.new(default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)).value
+        }.to raise_error(ArgumentError)
       end
 
       it "supports strict-dynamic" do
@@ -149,52 +115,50 @@ module SecureHeaders
             block_all_mixed_content: true,
             upgrade_insecure_requests: true,
             script_src: %w(script-src.com),
-            script_nonce: 123456,
-            sandbox: %w(allow-forms),
-            plugin_types: %w(application/pdf)
+            script_nonce: 123456
           })
         end
 
         it "does not filter any directives for Chrome" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "does not filter any directives for Opera" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:edge])
-          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
         end
 
         it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
-          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
         end
 
         it "adds 'unsafe-inline', filters  blocked-all-mixed-content, upgrade-insecure-requests, nonce sources, and hash sources for safari 10 and higher" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
         end
 
         it "falls back to standard Firefox defaults when the useragent version is not present" do
           ua = USER_AGENTS[:firefox].dup
           allow(ua).to receive(:version).and_return(nil)
           policy = ContentSecurityPolicy.new(complex_opts, ua)
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
       end
     end

data/spec/lib/secure_headers/headers/cookie_spec.rb

@@ -1,40 +1,46 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe Cookie do
     let(:raw_cookie) { "_session=thisisatest" }
 
-    it "does not tamper with cookies when unconfigured" do
-      cookie = Cookie.new(raw_cookie, {})
+    it "does not tamper with cookies when using OPT_OUT is used" do
+      cookie = Cookie.new(raw_cookie, OPT_OUT)
       expect(cookie.to_s).to eq(raw_cookie)
     end
 
+    it "applies httponly, secure, and samesite by default" do
+      cookie = Cookie.new(raw_cookie, nil)
+      expect(cookie.to_s).to eq("_session=thisisatest; secure; HttpOnly; SameSite=Lax")
+    end
+
     it "preserves existing attributes" do
-      cookie = Cookie.new("_session=thisisatest; secure", secure: true)
+      cookie = Cookie.new("_session=thisisatest; secure", secure: true, httponly: OPT_OUT, samesite: OPT_OUT)
       expect(cookie.to_s).to eq("_session=thisisatest; secure")
     end
 
     it "prevents duplicate flagging of attributes" do
-      cookie = Cookie.new("_session=thisisatest; secure", secure: true)
+      cookie = Cookie.new("_session=thisisatest; secure", secure: true, httponly: OPT_OUT)
       expect(cookie.to_s.scan(/secure/i).count).to eq(1)
     end
 
     context "Secure cookies" do
       context "when configured with a boolean" do
         it "flags cookies as Secure" do
-          cookie = Cookie.new(raw_cookie, secure: true)
+          cookie = Cookie.new(raw_cookie, secure: true, httponly: OPT_OUT, samesite: OPT_OUT)
           expect(cookie.to_s).to eq("_session=thisisatest; secure")
         end
       end
 
       context "when configured with a Hash" do
         it "flags cookies as Secure when whitelisted" do
-          cookie = Cookie.new(raw_cookie, secure: { only: ["_session"]})
+          cookie = Cookie.new(raw_cookie, secure: { only: ["_session"]}, httponly: OPT_OUT, samesite: OPT_OUT)
           expect(cookie.to_s).to eq("_session=thisisatest; secure")
         end
 
         it "does not flag cookies as Secure when excluded" do
-          cookie = Cookie.new(raw_cookie, secure: { except: ["_session"] })
+          cookie = Cookie.new(raw_cookie, secure: { except: ["_session"] }, httponly: OPT_OUT, samesite: OPT_OUT)
           expect(cookie.to_s).to eq("_session=thisisatest")
         end
       end
@@ -43,58 +49,72 @@ module SecureHeaders
     context "HttpOnly cookies" do
       context "when configured with a boolean" do
         it "flags cookies as HttpOnly" do
-          cookie = Cookie.new(raw_cookie, httponly: true)
+          cookie = Cookie.new(raw_cookie, httponly: true, secure: OPT_OUT, samesite: OPT_OUT)
           expect(cookie.to_s).to eq("_session=thisisatest; HttpOnly")
         end
       end
 
       context "when configured with a Hash" do
         it "flags cookies as HttpOnly when whitelisted" do
-          cookie = Cookie.new(raw_cookie, httponly: { only: ["_session"]})
+          cookie = Cookie.new(raw_cookie, httponly: { only: ["_session"]}, secure: OPT_OUT, samesite: OPT_OUT)
           expect(cookie.to_s).to eq("_session=thisisatest; HttpOnly")
         end
 
         it "does not flag cookies as HttpOnly when excluded" do
-          cookie = Cookie.new(raw_cookie, httponly: { except: ["_session"] })
+          cookie = Cookie.new(raw_cookie, httponly: { except: ["_session"] }, secure: OPT_OUT, samesite: OPT_OUT)
           expect(cookie.to_s).to eq("_session=thisisatest")
         end
       end
     end
 
     context "SameSite cookies" do
-      %w(None Lax Strict).each do |flag|
-        it "flags SameSite=#{flag}" do
-          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { only: ["_session"] } })
-          expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
-        end
+      it "flags SameSite=Lax" do
+        cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
+      end
 
-        it "flags SameSite=#{flag} when configured with a boolean" do
-          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => true })
-          expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
-        end
+      it "flags SameSite=Lax when configured with a boolean" do
+        cookie = Cookie.new(raw_cookie, samesite: { lax: true}, secure: OPT_OUT, httponly: OPT_OUT)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
+      end
 
-        it "does not flag cookies as SameSite=#{flag} when excluded" do
-          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { except: ["_session"] } })
-          expect(cookie.to_s).to eq("_session=thisisatest")
-        end
+      it "does not flag cookies as SameSite=Lax when excluded" do
+        cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+        expect(cookie.to_s).to eq("_session=thisisatest")
+      end
+
+      it "flags SameSite=Strict" do
+        cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
+      end
+
+      it "does not flag cookies as SameSite=Strict when excluded" do
+        cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] }}, secure: OPT_OUT, httponly: OPT_OUT)
+        expect(cookie.to_s).to eq("_session=thisisatest")
       end
 
       it "flags SameSite=Strict when configured with a boolean" do
-        cookie = Cookie.new(raw_cookie, samesite: { strict: true})
+        cookie = Cookie.new(raw_cookie, {samesite: { strict: true}, secure: OPT_OUT, httponly: OPT_OUT})
         expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
       end
 
       it "flags properly when both lax and strict are configured" do
         raw_cookie = "_session=thisisatest"
-        cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] }, lax: { only: ["_additional_session"] } })
+        cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] }, lax: { only: ["_additional_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
         expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
       end
 
       it "ignores configuration if the cookie is already flagged" do
         raw_cookie = "_session=thisisatest; SameSite=Strict"
-        cookie = Cookie.new(raw_cookie, samesite: { lax: true })
+        cookie = Cookie.new(raw_cookie, samesite: { lax: true }, secure: OPT_OUT, httponly: OPT_OUT)
         expect(cookie.to_s).to eq(raw_cookie)
       end
+
+      it "samesite: true sets all cookies to samesite=lax" do
+        raw_cookie = "_session=thisisatest"
+        cookie = Cookie.new(raw_cookie, samesite: true, secure: OPT_OUT, httponly: OPT_OUT)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
+      end
     end
   end
 
@@ -105,12 +125,18 @@ module SecureHeaders
       end.to raise_error(CookiesConfigError)
     end
 
-    it "raises an exception when configured without a boolean/Hash" do
+    it "raises an exception when configured without a boolean(true or OPT_OUT)/Hash" do
       expect do
         Cookie.validate_config!(secure: "true")
       end.to raise_error(CookiesConfigError)
     end
 
+    it "raises an exception when configured with false" do
+      expect do
+        Cookie.validate_config!(secure: false)
+      end.to raise_error(CookiesConfigError)
+    end
+
     it "raises an exception when both only and except filters are provided" do
       expect do
         Cookie.validate_config!(secure: { only: [], except: [] })
@@ -123,15 +149,10 @@ module SecureHeaders
       end.to raise_error(CookiesConfigError)
     end
 
-    cookie_options = %w(none lax strict).map(&:to_sym)
-    cookie_options.each do |flag|
-      (cookie_options - [flag]).each do |other_flag|
-        it "raises an exception when SameSite #{flag} and #{other_flag} enforcement modes are configured with booleans" do
-          expect do
-            Cookie.validate_config!(samesite: { flag => true, other_flag => true})
-          end.to raise_error(CookiesConfigError)
-        end
-      end
+    it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
+      expect do
+        Cookie.validate_config!(samesite: { lax: true, strict: true})
+      end.to raise_error(CookiesConfigError)
     end
 
     it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do