secure_headers 4.0.2 → 5.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: bf4c1585c657ad3812d124ed506030b900eb3778
4
- data.tar.gz: afe30fa230c2e34ef8c9d253210e918dd8412f11
3
+ metadata.gz: 36d743dc370dce07a032c6e5154eef9081e5d258
4
+ data.tar.gz: 89c7965e04093df147c7543f9b3cd4cc3e347e41
5
5
  SHA512:
6
- metadata.gz: cc3230d801ffffbb1ddb892721b54aa54bba40c0785edaa399754f10d61e3870d385710ad722754dd604922807eb5fc8aece7abfc89a75c8f4f1c9dfb1467d04
7
- data.tar.gz: 11736ff26de3b9a5ada127edc1a8e32c25a0f75269109de5d60d19dc5dc28932f2bdfc9a44c4f1c13f4a44eee4759bcc8dfe4e08a4a600bc78042767f139489b
6
+ metadata.gz: 11985973764bd80715c68e232e977074f084557deea8b2b96962d5c74f79af81601df30d6dda3150d5b278c75ee7f45c95e93bac26d62265fd5dabd99a39e024
7
+ data.tar.gz: 9cf62ba5f6ebaad74cec79c2201faf1521aad2a65627d5a64c74c9ff668b535664c1c49b285578713ce2bc2472b704e6b972c51074d2574ff2ad574cf6b87870
data/CHANGELOG.md CHANGED
@@ -1,14 +1,18 @@
1
- ## 4.0.2
1
+ ## 5.0.1
2
2
 
3
3
  - Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec.
4
4
 
5
+ ## 5.0.0
6
+
7
+ Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](docs/upgrading-to-5-0.md) guide.
8
+
5
9
  ## 4.0.1
6
10
 
7
11
  - Adds support for `worker-src` CSP directive to 4.x line (https://github.com/twitter/secureheaders/pull/364)
8
12
 
9
13
  ## 4.0
10
14
 
11
- - See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
15
+ - See the [upgrading to 4.0](docs/upgrading-to-4-0.md) guide. Lots of breaking changes.
12
16
 
13
17
  ## 3.7.2
14
18
 
@@ -326,7 +330,7 @@ Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (a
326
330
 
327
331
  ## 3.0.0
328
332
 
329
- secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
333
+ secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
330
334
 
331
335
  ## 2.5.1 - 2016-02-16 18:11:11 UTC - Remove noisy deprecation warning
332
336
 
data/README.md CHANGED
@@ -1,8 +1,8 @@
1
1
  # Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
2
2
 
3
- **master represents the unreleased 4.x line**. See the [upgrading to 4.x doc](upgrading-to-4-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
3
+ **master represents 5.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md) and [upgrading to 5.x doc](docs/upgrading-to-5-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
4
4
 
5
- **The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
5
+ **The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
6
6
 
7
7
  **The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
8
8
 
@@ -22,7 +22,7 @@ The gem will automatically apply several headers that are related to security.
22
22
  - Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
23
23
  - Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
24
24
 
25
- It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
25
+ It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using `config.cookies = SecureHeaders::OPT_OUT`.
26
26
 
27
27
  `secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
28
28
 
@@ -55,7 +55,7 @@ If you do not supply a `default` configuration, exceptions will be raised. If yo
55
55
 
56
56
  All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely.
57
57
 
58
- **Word of caution:** The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
58
+ **Word of caution:** The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
59
59
 
60
60
  ```ruby
61
61
  SecureHeaders::Configuration.default do |config|
@@ -1,26 +1,6 @@
1
- ### Breaking Changes
2
-
3
- The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break. This should not break brand new projects using secure_headers either.
4
-
5
- ## All cookies default to secure/httponly/SameSite=Lax
6
-
7
- By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
8
-
9
- ```ruby
10
- # specific opt outs
11
- config.cookies = {
12
- secure: SecureHeaders::OPT_OUT,
13
- httponly: SecureHeaders::OPT_OUT,
14
- samesite: SecureHeaders::OPT_OUT,
15
- }
16
-
17
- # nuclear option, just make things work again
18
- config.cookies = SecureHeaders::OPT_OUT
19
- ```
20
-
21
1
  ## script_src must be set
22
2
 
23
- Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
3
+ Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
24
4
 
25
5
  However, sometimes you really don't need a `script-src` e.g. API responses (`default-src 'none'`) so you can set `script_src: SecureHeaders::OPT_OUT` to work around this.
26
6
 
@@ -0,0 +1,15 @@
1
+ ## All cookies default to secure/httponly/SameSite=Lax
2
+
3
+ By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
4
+
5
+ ```ruby
6
+ # specific opt outs
7
+ config.cookies = {
8
+ secure: SecureHeaders::OPT_OUT,
9
+ httponly: SecureHeaders::OPT_OUT,
10
+ samesite: SecureHeaders::OPT_OUT,
11
+ }
12
+
13
+ # nuclear option, just make things work again
14
+ config.cookies = SecureHeaders::OPT_OUT
15
+ ```
@@ -132,7 +132,7 @@ module SecureHeaders
132
132
  end
133
133
 
134
134
  def initialize(&block)
135
- @cookies = nil
135
+ @cookies = self.class.send(:deep_copy_if_hash, Cookie::COOKIE_DEFAULTS)
136
136
  @clear_site_data = nil
137
137
  @csp = nil
138
138
  @csp_report_only = nil
@@ -17,7 +17,7 @@ module SecureHeaders
17
17
  Kernel.warn(HPKP_SAME_HOST_WARNING)
18
18
  end
19
19
 
20
- flag_cookies!(headers, override_secure(env, config.cookies)) if config.cookies
20
+ flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
21
21
  headers.merge!(SecureHeaders.header_hash_for(req))
22
22
  [status, headers, response]
23
23
  end
@@ -2,7 +2,7 @@
2
2
  # frozen_string_literal: true
3
3
  Gem::Specification.new do |gem|
4
4
  gem.name = "secure_headers"
5
- gem.version = "4.0.2"
5
+ gem.version = "5.0.1"
6
6
  gem.authors = ["Neil Matatall"]
7
7
  gem.email = ["neil.matatall@gmail.com"]
8
8
  gem.description = "Manages application of security headers with many safe defaults."
@@ -22,7 +22,7 @@ Gem::Specification.new do |gem|
22
22
  gem.post_install_message = <<-POST_INSTALL
23
23
 
24
24
  **********
25
- :wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
25
+ :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
26
26
  **********
27
27
 
28
28
  POST_INSTALL
@@ -91,5 +91,27 @@ module SecureHeaders
91
91
  end
92
92
  }.to raise_error(ArgumentError)
93
93
  end
94
+
95
+ it "gives cookies a default config" do
96
+ expect(Configuration.default.cookies).to eq({httponly: true, secure: true, samesite: {lax: true}})
97
+ end
98
+
99
+ it "allows OPT_OUT" do
100
+ Configuration.default do |config|
101
+ config.cookies = OPT_OUT
102
+ end
103
+
104
+ config = Configuration.get
105
+ expect(config.cookies).to eq(OPT_OUT)
106
+ end
107
+
108
+ it "allows me to be explicit too" do
109
+ Configuration.default do |config|
110
+ config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
111
+ end
112
+
113
+ config = Configuration.get
114
+ expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
115
+ end
94
116
  end
95
117
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.0.2
4
+ version: 5.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
@@ -67,6 +67,9 @@ files:
67
67
  - docs/named_overrides_and_appends.md
68
68
  - docs/per_action_configuration.md
69
69
  - docs/sinatra.md
70
+ - docs/upgrading-to-3-0.md
71
+ - docs/upgrading-to-4-0.md
72
+ - docs/upgrading-to-5-0.md
70
73
  - lib/secure_headers.rb
71
74
  - lib/secure_headers/configuration.rb
72
75
  - lib/secure_headers/hash_helper.rb
@@ -108,8 +111,6 @@ files:
108
111
  - spec/lib/secure_headers/view_helpers_spec.rb
109
112
  - spec/lib/secure_headers_spec.rb
110
113
  - spec/spec_helper.rb
111
- - upgrading-to-3-0.md
112
- - upgrading-to-4-0.md
113
114
  homepage: https://github.com/twitter/secureheaders
114
115
  licenses:
115
116
  - Apache Public License 2.0
@@ -117,7 +118,7 @@ metadata: {}
117
118
  post_install_message: |2+
118
119
 
119
120
  **********
120
- :wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
121
+ :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
121
122
  **********
122
123
 
123
124
  rdoc_options: []
File without changes