secure_headers 4.0.2 → 5.0.0.alpha01
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -4
- data/README.md +4 -4
- data/{upgrading-to-3-0.md → docs/upgrading-to-3-0.md} +0 -0
- data/{upgrading-to-4-0.md → docs/upgrading-to-4-0.md} +1 -21
- data/docs/upgrading-to-5-0.md +15 -0
- data/lib/secure_headers/configuration.rb +1 -1
- data/lib/secure_headers/headers/expect_certificate_transparency.rb +1 -1
- data/lib/secure_headers/middleware.rb +1 -1
- data/secure_headers.gemspec +2 -2
- data/spec/lib/secure_headers/configuration_spec.rb +22 -0
- data/spec/lib/secure_headers/headers/{expect_certificate_transparency_spec.rb → expect_certificate_spec.rb} +3 -3
- metadata +10 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2e6ac6e6f7a69c5fef2f3a357feaff630fc394c0
|
4
|
+
data.tar.gz: 218e2ea09bc6a88370be9ad4930764cd94cc5f08
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0a2a38ec3dd215d754ea66cefeb96482fb0d2d35edf2fa13fbadd600a962b612b172b400425a7fb44304c200f9a79b7042893dfce82f48ea30734028773c205d
|
7
|
+
data.tar.gz: 5cff176050f3790236e65aec87c6f66e98adb473abcd608d3fe4eed0e587f1c7880dbc8c31735d2e3c39c766d8d4bf7a3b4df9e16673f66ab4970f4cb97e410a
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
|
-
##
|
1
|
+
## 5.0.0
|
2
2
|
|
3
|
-
|
3
|
+
Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](docs/upgrading-to-5-0.md) guide.
|
4
4
|
|
5
5
|
## 4.0.1
|
6
6
|
|
@@ -8,7 +8,7 @@
|
|
8
8
|
|
9
9
|
## 4.0
|
10
10
|
|
11
|
-
- See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
|
11
|
+
- See the [upgrading to 4.0](docs/upgrading-to-4-0.md) guide. Lots of breaking changes.
|
12
12
|
|
13
13
|
## 3.7.2
|
14
14
|
|
@@ -326,7 +326,7 @@ Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (a
|
|
326
326
|
|
327
327
|
## 3.0.0
|
328
328
|
|
329
|
-
secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
|
329
|
+
secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
|
330
330
|
|
331
331
|
## 2.5.1 - 2016-02-16 18:11:11 UTC - Remove noisy deprecation warning
|
332
332
|
|
data/README.md
CHANGED
@@ -1,8 +1,8 @@
|
|
1
1
|
# Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
|
2
2
|
|
3
|
-
**master represents
|
3
|
+
**master represents 5.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md) and [upgrading to 5.x doc](docs/upgrading-to-5-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
|
4
4
|
|
5
|
-
**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
|
5
|
+
**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
|
6
6
|
|
7
7
|
**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
|
8
8
|
|
@@ -22,7 +22,7 @@ The gem will automatically apply several headers that are related to security.
|
|
22
22
|
- Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
|
23
23
|
- Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
|
24
24
|
|
25
|
-
It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes
|
25
|
+
It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using `config.cookies = SecureHeaders::OPT_OUT`.
|
26
26
|
|
27
27
|
`secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
|
28
28
|
|
@@ -55,7 +55,7 @@ If you do not supply a `default` configuration, exceptions will be raised. If yo
|
|
55
55
|
|
56
56
|
All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely.
|
57
57
|
|
58
|
-
**Word of caution:** The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
|
58
|
+
**Word of caution:** The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
|
59
59
|
|
60
60
|
```ruby
|
61
61
|
SecureHeaders::Configuration.default do |config|
|
File without changes
|
@@ -1,26 +1,6 @@
|
|
1
|
-
### Breaking Changes
|
2
|
-
|
3
|
-
The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break. This should not break brand new projects using secure_headers either.
|
4
|
-
|
5
|
-
## All cookies default to secure/httponly/SameSite=Lax
|
6
|
-
|
7
|
-
By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
|
8
|
-
|
9
|
-
```ruby
|
10
|
-
# specific opt outs
|
11
|
-
config.cookies = {
|
12
|
-
secure: SecureHeaders::OPT_OUT,
|
13
|
-
httponly: SecureHeaders::OPT_OUT,
|
14
|
-
samesite: SecureHeaders::OPT_OUT,
|
15
|
-
}
|
16
|
-
|
17
|
-
# nuclear option, just make things work again
|
18
|
-
config.cookies = SecureHeaders::OPT_OUT
|
19
|
-
```
|
20
|
-
|
21
1
|
## script_src must be set
|
22
2
|
|
23
|
-
Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
|
3
|
+
Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
|
24
4
|
|
25
5
|
However, sometimes you really don't need a `script-src` e.g. API responses (`default-src 'none'`) so you can set `script_src: SecureHeaders::OPT_OUT` to work around this.
|
26
6
|
|
@@ -0,0 +1,15 @@
|
|
1
|
+
## All cookies default to secure/httponly/SameSite=Lax
|
2
|
+
|
3
|
+
By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
|
4
|
+
|
5
|
+
```ruby
|
6
|
+
# specific opt outs
|
7
|
+
config.cookies = {
|
8
|
+
secure: SecureHeaders::OPT_OUT,
|
9
|
+
httponly: SecureHeaders::OPT_OUT,
|
10
|
+
samesite: SecureHeaders::OPT_OUT,
|
11
|
+
}
|
12
|
+
|
13
|
+
# nuclear option, just make things work again
|
14
|
+
config.cookies = SecureHeaders::OPT_OUT
|
15
|
+
```
|
@@ -17,7 +17,7 @@ module SecureHeaders
|
|
17
17
|
Kernel.warn(HPKP_SAME_HOST_WARNING)
|
18
18
|
end
|
19
19
|
|
20
|
-
flag_cookies!(headers, override_secure(env, config.cookies))
|
20
|
+
flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
|
21
21
|
headers.merge!(SecureHeaders.header_hash_for(req))
|
22
22
|
[status, headers, response]
|
23
23
|
end
|
data/secure_headers.gemspec
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
Gem::Specification.new do |gem|
|
4
4
|
gem.name = "secure_headers"
|
5
|
-
gem.version = "
|
5
|
+
gem.version = "5.0.0.alpha01"
|
6
6
|
gem.authors = ["Neil Matatall"]
|
7
7
|
gem.email = ["neil.matatall@gmail.com"]
|
8
8
|
gem.description = "Manages application of security headers with many safe defaults."
|
@@ -22,7 +22,7 @@ Gem::Specification.new do |gem|
|
|
22
22
|
gem.post_install_message = <<-POST_INSTALL
|
23
23
|
|
24
24
|
**********
|
25
|
-
:wave: secure_headers
|
25
|
+
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
|
26
26
|
**********
|
27
27
|
|
28
28
|
POST_INSTALL
|
@@ -91,5 +91,27 @@ module SecureHeaders
|
|
91
91
|
end
|
92
92
|
}.to raise_error(ArgumentError)
|
93
93
|
end
|
94
|
+
|
95
|
+
it "gives cookies a default config" do
|
96
|
+
expect(Configuration.default.cookies).to eq({httponly: true, secure: true, samesite: {lax: true}})
|
97
|
+
end
|
98
|
+
|
99
|
+
it "allows OPT_OUT" do
|
100
|
+
Configuration.default do |config|
|
101
|
+
config.cookies = OPT_OUT
|
102
|
+
end
|
103
|
+
|
104
|
+
config = Configuration.get
|
105
|
+
expect(config.cookies).to eq(OPT_OUT)
|
106
|
+
end
|
107
|
+
|
108
|
+
it "allows me to be explicit too" do
|
109
|
+
Configuration.default do |config|
|
110
|
+
config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
|
111
|
+
end
|
112
|
+
|
113
|
+
config = Configuration.get
|
114
|
+
expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
|
115
|
+
end
|
94
116
|
end
|
95
117
|
end
|
@@ -3,13 +3,13 @@ require "spec_helper"
|
|
3
3
|
|
4
4
|
module SecureHeaders
|
5
5
|
describe ExpectCertificateTransparency do
|
6
|
-
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce
|
6
|
+
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce; max-age=1234") }
|
7
7
|
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: false).value).to eq("max-age=1234") }
|
8
8
|
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: "yolocopter").value).to eq("max-age=1234") }
|
9
|
-
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234
|
9
|
+
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234; report-uri=\"https://report-uri.io/expect-ct\"") }
|
10
10
|
specify do
|
11
11
|
config = { enforce: true, max_age: 1234, report_uri: "https://report-uri.io/expect-ct" }
|
12
|
-
header_value = "enforce
|
12
|
+
header_value = "enforce; max-age=1234; report-uri=\"https://report-uri.io/expect-ct\""
|
13
13
|
expect(ExpectCertificateTransparency.new(config).value).to eq(header_value)
|
14
14
|
end
|
15
15
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 5.0.0.alpha01
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-10-
|
11
|
+
date: 2017-10-04 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -67,6 +67,9 @@ files:
|
|
67
67
|
- docs/named_overrides_and_appends.md
|
68
68
|
- docs/per_action_configuration.md
|
69
69
|
- docs/sinatra.md
|
70
|
+
- docs/upgrading-to-3-0.md
|
71
|
+
- docs/upgrading-to-4-0.md
|
72
|
+
- docs/upgrading-to-5-0.md
|
70
73
|
- lib/secure_headers.rb
|
71
74
|
- lib/secure_headers/configuration.rb
|
72
75
|
- lib/secure_headers/hash_helper.rb
|
@@ -94,7 +97,7 @@ files:
|
|
94
97
|
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
95
98
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
96
99
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
97
|
-
- spec/lib/secure_headers/headers/
|
100
|
+
- spec/lib/secure_headers/headers/expect_certificate_spec.rb
|
98
101
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
99
102
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
100
103
|
- spec/lib/secure_headers/headers/referrer_policy_spec.rb
|
@@ -108,8 +111,6 @@ files:
|
|
108
111
|
- spec/lib/secure_headers/view_helpers_spec.rb
|
109
112
|
- spec/lib/secure_headers_spec.rb
|
110
113
|
- spec/spec_helper.rb
|
111
|
-
- upgrading-to-3-0.md
|
112
|
-
- upgrading-to-4-0.md
|
113
114
|
homepage: https://github.com/twitter/secureheaders
|
114
115
|
licenses:
|
115
116
|
- Apache Public License 2.0
|
@@ -117,7 +118,7 @@ metadata: {}
|
|
117
118
|
post_install_message: |2+
|
118
119
|
|
119
120
|
**********
|
120
|
-
:wave: secure_headers
|
121
|
+
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
|
121
122
|
**********
|
122
123
|
|
123
124
|
rdoc_options: []
|
@@ -130,9 +131,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
130
131
|
version: '0'
|
131
132
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
132
133
|
requirements:
|
133
|
-
- - "
|
134
|
+
- - ">"
|
134
135
|
- !ruby/object:Gem::Version
|
135
|
-
version:
|
136
|
+
version: 1.3.1
|
136
137
|
requirements: []
|
137
138
|
rubyforge_project:
|
138
139
|
rubygems_version: 2.6.11
|
@@ -145,7 +146,7 @@ test_files:
|
|
145
146
|
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
146
147
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
147
148
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
148
|
-
- spec/lib/secure_headers/headers/
|
149
|
+
- spec/lib/secure_headers/headers/expect_certificate_spec.rb
|
149
150
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
150
151
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
151
152
|
- spec/lib/secure_headers/headers/referrer_policy_spec.rb
|