secure_headers 5.1.0 → 6.0.0.alpha01

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 32ea96aca183a8341bec40b998486beed14d59e8
-  data.tar.gz: 3081354f4bd486f5ea49d22f680d1ac2d36de4aa
+  metadata.gz: cd74fc8e9c9057255c1e6c75bc78554ec6751459
+  data.tar.gz: 2f72e782c0800b5bf124d841a0d556d321b1cb5f
 SHA512:
-  metadata.gz: cc8c64abdabaab458be788ee09a18984bab17cb8a01ef6eb76c75099cfaa5b8fc5962f5094e39f7067ebece388794e7f53a2e44f2fecdbfe4146a59a981211df
-  data.tar.gz: f8c369a5a2ac0e7547e231100c2a946a9204684d4db33206cc3baf0dd786b99c5a6d05cdaaaca5fcb439530a6d385d029c265dbc84f9b6ff665df52ad1191537
+  metadata.gz: 53ff0d4849c3892fbf4e35270c011d9d6c8da3984958fdc17f9669b32f0d9d39542dc4411323fe93bbf21137f0c8cfe26565a5836548061414153a2abd2dd949
+  data.tar.gz: 7472a097ae0926655aace8f5f719a4306920b08e4a1b798a588034d51a1446f51f442deb7c3f298d23481d52f2aa1b210ffb40b629671f449f63b7570a7ec2b0

data/.travis.yml

@@ -2,9 +2,10 @@ language: ruby
 
 rvm:
   - ruby-head
-  - 2.6
-  - 2.5
-  - 2.4
+  - 2.5.0
+  - 2.4.3
+  - 2.3.6
+  - 2.2.9
   - jruby-head
 
 env:
@@ -18,7 +19,10 @@ matrix:
     - rvm: jruby-head
     - rvm: ruby-head
 
-before_install: gem update bundler
+before_install:
+  - gem update --system
+  - gem --version
+  - gem update bundler
 bundler_args: --without guard -j 3
 
 sudo: false

data/CHANGELOG.md

@@ -1,7 +1,7 @@
-## 5.1.0
-
-Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
+## 6.0
 
+- See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.
+=======
 ## 5.0.5
 
 A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x

data/Gemfile

@@ -9,7 +9,7 @@ group :test do
   gem "pry-nav"
   gem "rack"
   gem "rspec"
-  gem "rubocop", "< 0.68"
+  gem "rubocop"
   gem "rubocop-github"
   gem "term-ansicolor"
   gem "tins"

data/docs/upgrading-to-6-0.md

@@ -0,0 +1,50 @@
+## Named overrides are now dynamically applied
+
+The original implementation of name overrides worked by making a copy of the default policy, applying the overrides, and storing the result for later use. But, this lead to unexpected results if named overrides were combined with a dynamic policy change. If a change was made to the default configuration during a request, followed by a named override, the dynamic changes would be lost. To keep things consistent named overrides have been rewritten to work the same as named appends in that they always operate on the configuration for the current request. As an example:
+
+```ruby
+class ApplicationController < ActionController::Base
+  Configuration.default do |config|
+    config.x_frame_options = OPT_OUT
+  end
+
+  SecureHeaders::Configuration.override(:dynamic_override) do |config|
+    config.x_content_type_options = "nosniff"
+  end
+end
+
+class FooController < ApplicationController
+  def bar
+    # Dynamically update the default config for this request
+    override_x_frame_options("DENY")
+    append_content_security_policy_directives(frame_src: "3rdpartyprovider.com")
+
+    # Override everything, discard modifications above
+    use_secure_headers_override(:dynamic_override)
+  end
+end
+```
+
+Prior to 6.0.0, the response would NOT include a `X-Frame-Options` header since the named override would be a copy of the default configuration, but with `X-Content-Type-Options` set to `nosniff`. As of 6.0.0, the above code results in both `X-Frame-Options` set to `DENY` AND `X-Content-Type-Options` set to `nosniff`.
+
+## `ContentSecurityPolicyConfig#merge` and `ContentSecurityPolicyReportOnlyConfig#merge` work more like `Hash#merge`
+
+These classes are typically not directly instantiated by users of SecureHeaders. But, if you access `config.csp` you end up accessing one of these objects. Prior to 6.0.0, `#merge` worked more like `#append` in that it would combine policies (i.e. if both policies contained the same key the values would be combined rather than overwritten). This was not consistent with `#merge!`, which worked more like ruby's `Hash#merge!` (overwriting duplicate keys). As of 6.0.0, `#merge` works the same as `#merge!`, but returns a new object instead of mutating `self`.
+
+## `Configuration#get` has been removed
+
+This method is not typically directly called by users of SecureHeaders. Given that named overrides are no longer statically stored, fetching them no longer makes sense.
+
+## Configuration headers are no longer cached
+
+Prior to 6.0.0 SecureHeaders pre-built and cached the headers that corresponded to the default configuration. The same was also done for named overrides. However, now that named overrides are applied dynamically, those can no longer be cached. As a result, caching has been removed in the name of simplicity. Some micro-benchmarks indicate this shouldn't be a performance problem and will help to eliminate a class of bugs entirely.
+
+## Configuration the default configuration more than once will result in an Exception
+
+Prior to 6.0.0 you could conceivably, though unlikely, have `Configure#default` called more than once. Because configurations are dynamic, configuring more than once could result in unexpected behavior. So, as of 6.0.0 we raise `AlreadyConfiguredError` if the default configuration is setup more than once.
+
+## Nonce behavior and console warnings
+
+Since the first commit, reducing browser console messages was a goal. It led to overly complicated and error-prone UA sniffing. Nowadays, consoles warn on completely legitimate use of features meant to be backwards compatible. So the goal is impossible and the impact is negative, so eliminating code using sniffing is a goal.
+
+The first example: we will now send `'unsafe-inline'` along with nonce source expressions. This will generate warnings in some consoles but is 100% valid use and was a design goal of CSP in the early days. The concept of versioning CSP lost out and so we're left with backward compatibility as our only option.

data/lib/secure_headers/configuration.rb

@@ -4,7 +4,8 @@ require "yaml"
 module SecureHeaders
   class Configuration
     DEFAULT_CONFIG = :default
-    NOOP_CONFIGURATION = "secure_headers_noop_config"
+    NOOP_OVERRIDE = "secure_headers_noop_override"
+    class AlreadyConfiguredError < StandardError; end
     class NotYetConfiguredError < StandardError; end
     class IllegalPolicyModificationError < StandardError; end
     class << self
@@ -14,9 +15,21 @@ module SecureHeaders
       #
       # Returns the newly created config.
       def default(&block)
-        config = new(&block)
-        add_noop_configuration
-        add_configuration(DEFAULT_CONFIG, config)
+        if defined?(@default_config)
+          raise AlreadyConfiguredError, "Policy already configured"
+        end
+
+        # Define a built-in override that clears all configuration options and
+        # results in no security headers being set.
+        override(NOOP_OVERRIDE) do |config|
+          CONFIG_ATTRIBUTES.each do |attr|
+            config.instance_variable_set("@#{attr}", OPT_OUT)
+          end
+        end
+
+        new_config = new(&block).freeze
+        new_config.validate_config!
+        @default_config = new_config
       end
       alias_method :configure, :default
 
@@ -27,28 +40,15 @@ module SecureHeaders
       # if no value is supplied.
       #
       # Returns: the newly created config
-      def override(name, base = DEFAULT_CONFIG, &block)
-        unless get(base, internal: true)
-          raise NotYetConfiguredError, "#{base} policy not yet supplied"
-        end
-        override = @configurations[base].dup
-        override.instance_eval(&block) if block_given?
-        add_configuration(name, override)
+      def override(name, &block)
+        @overrides ||= {}
+        raise "Provide a configuration block" unless block_given?
+        @overrides[name] = block
       end
 
-      # Public: retrieve a global configuration object
-      #
-      # Returns the configuration with a given name or raises a
-      # NotYetConfiguredError if `default` has not been called.
-      def get(name = DEFAULT_CONFIG, internal: false)
-        unless internal
-          Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#get` is deprecated. It will be removed in the next major release. Use SecureHeaders::Configuration.dup to retrieve the default config."
-        end
-
-        if @configurations.nil?
-          raise NotYetConfiguredError, "Default policy not yet supplied"
-        end
-        @configurations[name]
+      def overrides(name)
+        @overrides ||= {}
+        @overrides[name]
       end
 
       def named_appends(name)
@@ -56,44 +56,17 @@ module SecureHeaders
         @appends[name]
       end
 
-      def named_append(name, target = nil, &block)
+      def named_append(name, &block)
         @appends ||= {}
         raise "Provide a configuration block" unless block_given?
         @appends[name] = block
       end
 
-      private
-
-      # Private: add a valid configuration to the global set of named configs.
-      #
-      # config - the config to store
-      # name - the lookup value for this config
-      #
-      # Raises errors if the config is invalid or if a config named `name`
-      # already exists.
-      #
-      # Returns the config, if valid
-      def add_configuration(name, config)
-        config.validate_config!
-        @configurations ||= {}
-        config.send(:cache_headers!)
-        config.send(:cache_hpkp_report_host)
-        config.freeze
-        @configurations[name] = config
+      def dup
+        default_config.dup
       end
 
-      # Private: Automatically add an "opt-out of everything" override.
-      #
-      # Returns the noop config
-      def add_noop_configuration
-        noop_config = new do |config|
-          ALL_HEADER_CLASSES.each do |klass|
-            config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
-          end
-        end
-
-        add_configuration(NOOP_CONFIGURATION, noop_config)
-      end
+      private
 
       # Public: perform a basic deep dup. The shallow copy provided by dup/clone
       # can lead to modifying parent objects.
@@ -108,6 +81,17 @@ module SecureHeaders
         end
       end
 
+      # Private: Returns the internal default configuration. This should only
+      # ever be called by internal callers (or tests) that know the semantics
+      # of ensuring that the default config is never mutated and is dup(ed)
+      # before it is used in a request.
+      def default_config
+        unless defined?(@default_config)
+          raise NotYetConfiguredError, "Default policy not yet configured"
+        end
+        @default_config
+      end
+
       # Private: convenience method purely DRY things up. The value may not be a
       # hash (e.g. OPT_OUT, nil)
       def deep_copy_if_hash(value)
@@ -119,11 +103,31 @@ module SecureHeaders
       end
     end
 
-    attr_writer :hsts, :x_frame_options, :x_content_type_options,
-      :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
-      :referrer_policy, :clear_site_data, :expect_certificate_transparency
+    CONFIG_ATTRIBUTES_TO_HEADER_CLASSES = {
+      hsts: StrictTransportSecurity,
+      x_frame_options: XFrameOptions,
+      x_content_type_options: XContentTypeOptions,
+      x_xss_protection: XXssProtection,
+      x_download_options: XDownloadOptions,
+      x_permitted_cross_domain_policies: XPermittedCrossDomainPolicies,
+      referrer_policy: ReferrerPolicy,
+      clear_site_data: ClearSiteData,
+      expect_certificate_transparency: ExpectCertificateTransparency,
+      csp: ContentSecurityPolicy,
+      csp_report_only: ContentSecurityPolicy,
+      hpkp: PublicKeyPins,
+      cookies: Cookie,
+    }.freeze
+
+    CONFIG_ATTRIBUTES = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys.freeze
+
+    # The list of attributes that must respond to a `validate_config!` method
+    VALIDATABLE_ATTRIBUTES = CONFIG_ATTRIBUTES
 
-    attr_reader :cached_headers, :csp, :cookies, :csp_report_only, :hpkp, :hpkp_report_host
+    # The list of attributes that must respond to a `make_header` method
+    HEADERABLE_ATTRIBUTES = (CONFIG_ATTRIBUTES - [:cookies]).freeze
+
+    attr_accessor(*CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys)
 
     @script_hashes = nil
     @style_hashes = nil
@@ -140,7 +144,6 @@ module SecureHeaders
       @clear_site_data = nil
       @csp = nil
       @csp_report_only = nil
-      @hpkp_report_host = nil
       @hpkp = nil
       @hsts = nil
       @x_content_type_options = nil
@@ -158,7 +161,7 @@ module SecureHeaders
       instance_eval(&block) if block_given?
     end
 
-    # Public: copy everything but the cached headers
+    # Public: copy everything
     #
     # Returns a deep-dup'd copy of this configuration.
     def dup
@@ -166,7 +169,6 @@ module SecureHeaders
       copy.cookies = self.class.send(:deep_copy_if_hash, @cookies)
       copy.csp = @csp.dup if @csp
       copy.csp_report_only = @csp_report_only.dup if @csp_report_only
-      copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
       copy.x_content_type_options = @x_content_type_options
       copy.hsts = @hsts
       copy.x_frame_options = @x_frame_options
@@ -177,18 +179,39 @@ module SecureHeaders
       copy.expect_certificate_transparency = @expect_certificate_transparency
       copy.referrer_policy = @referrer_policy
       copy.hpkp = @hpkp
-      copy.hpkp_report_host = @hpkp_report_host
       copy
     end
 
+    # Public: Apply a named override to the current config
+    #
+    # Returns self
+    def override(name = nil, &block)
+      if override = self.class.overrides(name)
+        instance_eval(&override)
+      else
+        raise ArgumentError.new("no override by the name of #{name} has been configured")
+      end
+      self
+    end
+
+    def generate_headers(user_agent)
+      headers = {}
+      HEADERABLE_ATTRIBUTES.each do |attr|
+        klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
+        header_name, value = klass.make_header(instance_variable_get("@#{attr}"), user_agent)
+        if header_name && value
+          headers[header_name] = value
+        end
+      end
+      headers
+    end
+
     def opt_out(header)
       send("#{header}=", OPT_OUT)
-      self.cached_headers.delete(header)
     end
 
     def update_x_frame_options(value)
       @x_frame_options = value
-      self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value)
     end
 
     # Public: validates all configurations values.
@@ -197,19 +220,10 @@ module SecureHeaders
     #
     # Returns nothing
     def validate_config!
-      StrictTransportSecurity.validate_config!(@hsts)
-      ContentSecurityPolicy.validate_config!(@csp)
-      ContentSecurityPolicy.validate_config!(@csp_report_only)
-      ReferrerPolicy.validate_config!(@referrer_policy)
-      XFrameOptions.validate_config!(@x_frame_options)
-      XContentTypeOptions.validate_config!(@x_content_type_options)
-      XXssProtection.validate_config!(@x_xss_protection)
-      XDownloadOptions.validate_config!(@x_download_options)
-      XPermittedCrossDomainPolicies.validate_config!(@x_permitted_cross_domain_policies)
-      ClearSiteData.validate_config!(@clear_site_data)
-      ExpectCertificateTransparency.validate_config!(@expect_certificate_transparency)
-      PublicKeyPins.validate_config!(@hpkp)
-      Cookie.validate_config!(@cookies)
+      VALIDATABLE_ATTRIBUTES.each do |attr|
+        klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
+        klass.validate_config!(instance_variable_get("@#{attr}"))
+      end
     end
 
     def secure_cookies=(secure_cookies)
@@ -217,15 +231,15 @@ module SecureHeaders
     end
 
     def csp=(new_csp)
-      if new_csp.respond_to?(:opt_out?)
-        @csp = new_csp.dup
+      case new_csp
+      when OPT_OUT
+        @csp = new_csp
+      when ContentSecurityPolicyConfig
+        @csp = new_csp
+      when Hash
+        @csp = ContentSecurityPolicyConfig.new(new_csp)
       else
-        if new_csp[:report_only]
-          # invalid configuration implies that CSPRO should be set, CSP should not - so opt out
-          raise ArgumentError, "#{Kernel.caller.first}: `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
-        else
-          @csp = ContentSecurityPolicyConfig.new(new_csp)
-        end
+        raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
       end
     end
 
@@ -236,87 +250,23 @@ module SecureHeaders
     # configuring csp_report_only, the code will assume you mean to only use
     # report-only mode and you will be opted-out of enforce mode.
     def csp_report_only=(new_csp)
-      @csp_report_only = begin
-        if new_csp.is_a?(ContentSecurityPolicyConfig)
-          new_csp.make_report_only
-        elsif new_csp.respond_to?(:opt_out?)
-          new_csp.dup
-        else
-          if new_csp[:report_only] == false # nil is a valid value on which we do not want to raise
-            raise ContentSecurityPolicyConfigError, "`#csp_report_only=` was supplied a config with report_only: false. Use #csp="
-          else
-            ContentSecurityPolicyReportOnlyConfig.new(new_csp)
-          end
-        end
-      end
-    end
-
-    protected
-
-    def cookies=(cookies)
-      @cookies = cookies
-    end
-
-    def cached_headers=(headers)
-      @cached_headers = headers
-    end
-
-    def hpkp=(hpkp)
-      @hpkp = self.class.send(:deep_copy_if_hash, hpkp)
-    end
-
-    def hpkp_report_host=(hpkp_report_host)
-      @hpkp_report_host = hpkp_report_host
-    end
-
-    private
-
-    def cache_hpkp_report_host
-      has_report_uri = @hpkp && @hpkp != OPT_OUT && @hpkp[:report_uri]
-      self.hpkp_report_host = if has_report_uri
-        parsed_report_uri = URI.parse(@hpkp[:report_uri])
-        parsed_report_uri.host
-      end
-    end
-
-    # Public: Precompute the header names and values for this configuration.
-    # Ensures that headers generated at configure time, not on demand.
-    #
-    # Returns the cached headers
-    def cache_headers!
-      # generate defaults for the "easy" headers
-      headers = (ALL_HEADERS_BESIDES_CSP).each_with_object({}) do |klass, hash|
-        config = instance_variable_get("@#{klass::CONFIG_KEY}")
-        unless config == OPT_OUT
-          hash[klass::CONFIG_KEY] = klass.make_header(config).freeze
-        end
+      case new_csp
+      when OPT_OUT
+        @csp_report_only = new_csp
+      when ContentSecurityPolicyReportOnlyConfig
+        @csp_report_only = new_csp.dup
+      when ContentSecurityPolicyConfig
+        @csp_report_only = new_csp.make_report_only
+      when Hash
+        @csp_report_only = ContentSecurityPolicyReportOnlyConfig.new(new_csp)
+      else
+        raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
       end
-
-      generate_csp_headers(headers)
-
-      headers.freeze
-      self.cached_headers = headers
     end
 
-    # Private: adds CSP headers for each variation of CSP support.
-    #
-    # headers - generated headers are added to this hash namespaced by The
-    #   different variations
-    #
-    # Returns nothing
-    def generate_csp_headers(headers)
-      generate_csp_headers_for_config(headers, ContentSecurityPolicyConfig::CONFIG_KEY, self.csp)
-      generate_csp_headers_for_config(headers, ContentSecurityPolicyReportOnlyConfig::CONFIG_KEY, self.csp_report_only)
-    end
-
-    def generate_csp_headers_for_config(headers, header_key, csp_config)
-      unless csp_config.opt_out?
-        headers[header_key] = {}
-        ContentSecurityPolicy::VARIATIONS.each_key do |name|
-          csp = ContentSecurityPolicy.make_header(csp_config, UserAgent.parse(name))
-          headers[header_key][name] = csp.freeze
-        end
-      end
+    def hpkp_report_host
+      return nil unless @hpkp && hpkp != OPT_OUT && @hpkp[:report_uri]
+      URI.parse(@hpkp[:report_uri]).host
     end
   end
 end

data/lib/secure_headers/headers/clear_site_data.rb

@@ -11,13 +11,11 @@ module SecureHeaders
     EXECUTION_CONTEXTS = "executionContexts".freeze
     ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
 
-    CONFIG_KEY = :clear_site_data
-
     class << self
       # Public: make an Clear-Site-Data header name, value pair
       #
       # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
         case config
         when nil, OPT_OUT, []
           # noop

data/lib/secure_headers/headers/content_security_policy.rb

@@ -13,6 +13,7 @@ module SecureHeaders
     FALLBACK_VERSION = ::UserAgent::Version.new("0")
 
     def initialize(config = nil, user_agent = OTHER)
+      user_agent ||= OTHER
       @config = if config.is_a?(Hash)
         if config[:report_only]
           ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
@@ -138,14 +139,8 @@ module SecureHeaders
       end
 
       if source_list != OPT_OUT && source_list && source_list.any?
-        minified_source_list = minify_source_list(directive, source_list).join(" ")
-
-        if minified_source_list.include?(";")
-          Kernel.warn("#{directive} contains a ; in '#{minified_source_list}' which will raise an error in future versions. It has been replaced with a blank space.")
-        end
-
-        escaped_source_list = minified_source_list.gsub(";", " ")
-        [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
+        normalized_source_list = minify_source_list(directive, source_list)
+        [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
       end
     end
 
@@ -218,11 +213,7 @@ module SecureHeaders
     # unsafe-inline, this is more concise.
     def append_nonce(source_list, nonce)
       if nonce
-        if nonces_supported?
-          source_list << "'nonce-#{nonce}'"
-        else
-          source_list << UNSAFE_INLINE
-        end
+        source_list.push("'nonce-#{nonce}'", UNSAFE_INLINE)
       end
 
       source_list
@@ -262,10 +253,6 @@ module SecureHeaders
       end
     end
 
-    def nonces_supported?
-      @nonces_supported ||= self.class.nonces_supported?(@parsed_ua)
-    end
-
     def symbol_to_hyphen_case(sym)
       sym.to_s.tr("_", "-")
     end

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -2,7 +2,6 @@
 module SecureHeaders
   module DynamicConfig
     def self.included(base)
-      base.send(:attr_writer, :modified)
       base.send(:attr_reader, *base.attrs)
       base.attrs.each do |attr|
         base.send(:define_method, "#{attr}=") do |value|
@@ -42,7 +41,6 @@ module SecureHeaders
       @upgrade_insecure_requests = nil
 
       from_hash(hash)
-      @modified = false
     end
 
     def update_directive(directive, value)
@@ -55,12 +53,10 @@ module SecureHeaders
       end
     end
 
-    def modified?
-      @modified
-    end
-
     def merge(new_hash)
-      ContentSecurityPolicy.combine_policies(self.to_h, new_hash)
+      new_config = self.dup
+      new_config.send(:from_hash, new_hash)
+      new_config
     end
 
     def merge!(new_hash)
@@ -109,17 +105,12 @@ module SecureHeaders
     def write_attribute(attr, value)
       value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
       attr_variable = "@#{attr}"
-      prev_value = self.instance_variable_get(attr_variable)
       self.instance_variable_set(attr_variable, value)
-      if prev_value != value
-        @modified = true
-      end
     end
   end
 
   class ContentSecurityPolicyConfigError < StandardError; end
   class ContentSecurityPolicyConfig
-    CONFIG_KEY = :csp
     HEADER_NAME = "Content-Security-Policy".freeze
 
     ATTRS = PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
@@ -149,7 +140,6 @@ module SecureHeaders
   end
 
   class ContentSecurityPolicyReportOnlyConfig < ContentSecurityPolicyConfig
-    CONFIG_KEY = :csp_report_only
     HEADER_NAME = "Content-Security-Policy-Report-Only".freeze
 
     def report_only?

data/lib/secure_headers/headers/expect_certificate_transparency.rb

@@ -4,7 +4,6 @@ module SecureHeaders
 
   class ExpectCertificateTransparency
     HEADER_NAME = "Expect-CT".freeze
-    CONFIG_KEY  = :expect_certificate_transparency
     INVALID_CONFIGURATION_ERROR = "config must be a hash.".freeze
     INVALID_ENFORCE_VALUE_ERROR = "enforce must be a boolean".freeze
     REQUIRED_MAX_AGE_ERROR      = "max-age is a required directive.".freeze
@@ -15,8 +14,8 @@ module SecureHeaders
       #
       # Returns nil if not configured, returns header name and value if
       # configured.
-      def make_header(config)
-        return if config.nil?
+      def make_header(config, use_agent = nil)
+        return if config.nil? || config == OPT_OUT
 
         header = new(config)
         [HEADER_NAME, header.value]