secure_headers 6.0.0 → 6.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6d7392744d486b32bda2b91432d39ddfeee87dfd
-  data.tar.gz: 38328982bf71376b9412ed8c7d0652163741bf16
+SHA256:
+  metadata.gz: 6919954e57f87c70a4fa42baa5285649bd7484ec6785894a2b461b6f52558f29
+  data.tar.gz: 710492a0e64a47f41f2b079e6d4799922aa05e51d017cacafcc20d77383815ee
 SHA512:
-  metadata.gz: e08d9df89db6908d0c8419d0086bf8fb6c7e374c53e0bf774bd74d534094c66ef3cdcbac23e97c03b05d4045ba6878c3f6d8a17877146bdb6f2f0c15b57d1784
-  data.tar.gz: 304824374c236d11edc52049732a2ea133bbbdf611f35b2c5309a950125e879fb4016f0f15d7ad6c09310ab4b6080e966fac912147f43ed91989aa15898595a7
+  metadata.gz: efd8e608dfeafc5d7e7fcd06274b0b8ed0c640744ab9d8113597bef916f31666cbf518b1dcd6869d7af42fbcbaf15a6a4cf8100b97fcbf52f5ba790e495e26c0
+  data.tar.gz: dcc504641e1c22b24a05c76534e2f8ba7a7fd5ff1b5f891eb467d23876c60900ef235d2dd4ba49af4352b23ffd1cd246c720aff79668244b6a10cec3aab8ed6f

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/build.yml

@@ -0,0 +1,24 @@
+name: Build + Test
+on: [pull_request, push]
+
+jobs:
+  build:
+    name: Build + Test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby ${{ matrix.ruby }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Build and test with Rake
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3 --without guard
+        bundle exec rspec spec
+        bundle exec rubocop
+

data/.github/workflows/github-release.yml

@@ -0,0 +1,28 @@
+name: GitHub Release
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  Publish:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - name: Calculate release name
+        run: |
+          GITHUB_REF=${{ github.ref }}
+          RELEASE_NAME=${GITHUB_REF#"refs/tags/"}
+          echo "RELEASE_NAME=${RELEASE_NAME}" >> $GITHUB_ENV
+      - name: Publish release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: ${{ env.RELEASE_NAME }}
+          draft: false
+          prerelease: false

data/.rubocop.yml

@@ -1,3 +1,4 @@
 inherit_gem:
   rubocop-github:
     - config/default.yml
+require: rubocop-performance

data/.ruby-version

@@ -1 +1 @@
-2.4.2
+3.1.1

data/CHANGELOG.md

@@ -1,3 +1,49 @@
+## 6.5.0
+
+- CSP: Remove source expression deduplication. (@lgarron) https://github.com/github/secure_headers/pull/499
+
+## 6.4.0
+
+- CSP: Add support for trusted-types, require-trusted-types-for directive (@JackMc): https://github.com/github/secure_headers/pull/486
+
+## 6.3.4
+
+- CSP: Do not deduplicate alternate schema source expressions (@keithamus): https://github.com/github/secure_headers/pull/478
+
+## 6.3.3
+
+Fix hash generation for indented helper methods (@rahearn)
+
+## 6.3.2
+
+Add support for style-src-attr, style-src-elem, script-src-attr, and script-src-elem directives (@ggalmazor)
+
+## 6.3.1
+
+Fixes deprecation warnings when running under ruby 2.7
+
+## 6.3.0
+
+Fixes newline injection issue
+
+## 6.2.0
+
+Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
+
+## 6.1.2
+
+Adds the ability to specify `SameSite=none` with the same configurability as `Strict`/`Lax` in order to disable Chrome's soon-to-be-lax-by-default state.
+
+## 6.1.1
+
+Adds the ability to disable the automatically-appended `'unsafe-inline'` value when nonces are used #404 (@will)
+
+## 6.1
+
+Adds support for navigate-to, prefetch-src, and require-sri-for #395
+
+NOTE: this version is a breaking change due to the removal of HPKP. Remove the HPKP config, the standard is dead. Apologies for not doing a proper deprecate/major rev cycle :pray:
+
 ## 6.0
 
 - See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.
@@ -350,7 +396,7 @@ Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (a
 
 ## 3.0.0
 
-secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
+secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/main/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
 
 ## 2.5.1 - 2016-02-16 18:11:11 UTC - Remove noisy deprecation warning
 

data/Gemfile

@@ -3,6 +3,8 @@ source "https://rubygems.org"
 
 gemspec
 
+gem "benchmark-ips"
+
 group :test do
   gem "coveralls"
   gem "json"
@@ -11,13 +13,14 @@ group :test do
   gem "rspec"
   gem "rubocop"
   gem "rubocop-github"
+  gem "rubocop-performance"
   gem "term-ansicolor"
   gem "tins"
 end
 
 group :guard do
   gem "growl"
-  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
+  gem "guard-rspec", platforms: [:ruby]
   gem "rb-fsevent"
   gem "terminal-notifier-guard"
 end

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright 2013, 2014, 2015, 2016, 2017 Twitter, Inc.
+Copyright 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Twitter, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

data/README.md

@@ -1,13 +1,9 @@
-# Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
+# Secure Headers ![Build + Test](https://github.com/github/secure_headers/workflows/Build%20+%20Test/badge.svg?branch=main)
 
-**master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
-
-**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
-
-**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
+**main branch represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
 
 The gem will automatically apply several headers that are related to security.  This includes:
-- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
+- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](https://www.w3.org/TR/CSP2/)
   - https://csp.withgoogle.com
   - https://csp.withgoogle.com/docs/strict-csp.html
   - https://csp-evaluator.withgoogle.com
@@ -33,20 +29,6 @@ It can also mark all http cookies with the Secure, HttpOnly and SameSite attribu
 - [Hashes](docs/hashes.md)
 - [Sinatra Config](docs/sinatra.md)
 
-## Getting Started
-
-### Rails 3+
-
-For Rails 3+ applications, `secure_headers` has a `railtie` that should automatically include the middleware. If for some reason the middleware is not being included follow the instructions for Rails 2.
-
-### Rails 2
-
-For Rails 2 or non-rails applications, an explicit statement is required to use the middleware component.
-
-```ruby
-use SecureHeaders::Middleware
-```
-
 ## Configuration
 
 If you do not supply a `default` configuration, exceptions will be raised. If you would like to use a default configuration (which is fairly locked down), just call `SecureHeaders::Configuration.default` without any arguments or block.
@@ -75,11 +57,11 @@ SecureHeaders::Configuration.default do |config|
   config.csp = {
     # "meta" values. these will shape the header, but the values are not included in the header.
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+    disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.
 
     # directive values: these values will directly translate into source directives
     default_src: %w('none'),
     base_uri: %w('self'),
-    block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
     child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
     connect_src: %w(wss:),
     font_src: %w('self' data:),
@@ -92,7 +74,11 @@ SecureHeaders::Configuration.default do |config|
     sandbox: true, # true and [] will set a maximally restrictive setting
     plugin_types: %w(application/x-shockwave-flash),
     script_src: %w('self'),
+    script_src_elem: %w('self'),
+    script_src_attr: %w('self'),
     style_src: %w('unsafe-inline'),
+    style_src_elem: %w('unsafe-inline'),
+    style_src_attr: %w('unsafe-inline'),
     worker_src: %w('self'),
     upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
     report_uri: %w(https://report-uri.io/example-csp)
@@ -105,6 +91,9 @@ SecureHeaders::Configuration.default do |config|
 end
 ```
 
+### Deprecated Configuration Values
+* `block_all_mixed_content` - this value is deprecated in favor of `upgrade_insecure_requests`. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content for more information.
+
 ## Default values
 
 All headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:
@@ -119,22 +108,73 @@ X-Permitted-Cross-Domain-Policies: none
 X-Xss-Protection: 1; mode=block
 ```
 
+## API configurations
+
+Which headers you decide to use for API responses is entirely a personal choice. Things like X-Frame-Options seem to have no place in an API response and would be wasting bytes. While this is true, browsers can do funky things with non-html responses. At the minimum, we suggest CSP:
+
+```ruby
+SecureHeaders::Configuration.override(:api) do |config|
+  config.csp = { default_src: 'none' }
+  config.hsts = SecureHeaders::OPT_OUT
+  config.x_frame_options = SecureHeaders::OPT_OUT
+  config.x_content_type_options = SecureHeaders::OPT_OUT
+  config.x_xss_protection = SecureHeaders::OPT_OUT
+  config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT
+end
+```
+
+However, I would consider these headers anyways depending on your load and bandwidth requirements.
+
+## Acknowledgements
+
+This project originated within the Security team at Twitter. An archived fork from the point of transition is here: https://github.com/twitter-archive/secure_headers.
+
+Contributors include:
+* Neil Matatall @oreoshake
+* Chris Aniszczyk
+* Artur Dryomov
+* Bjørn Mæland
+* Arthur Chiu
+* Jonathan Viney
+* Jeffrey Horn
+* David Collazo
+* Brendon Murphy
+* William Makley
+* Reed Loden
+* Noah Kantrowitz
+* Wyatt Anderson
+* Salimane Adjao Moustapha
+* Francois Chagnon
+* Jeff Hodges
+* Ian Melven
+* Darío Javier Cravero
+* Logan Hasson
+* Raul E Rangel
+* Steve Agalloco
+* Nate Collings
+* Josh Kalderimis
+* Alex Kwiatkowski
+* Julich Mera
+* Jesse Storimer
+* Tom Daniels
+* Kolja Dummann
+* Jean-Philippe Doyle
+* Blake Hitchcock
+* vanderhoorn
+* orthographic-pedant
+* Narsimham Chelluri
+
+If you've made a contribution and see your name missing from the list, make a PR and add it!
+
 ## Similar libraries
 
 * Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers)
 * Node.js (express) [helmet](https://github.com/helmetjs/helmet) and [hood](https://github.com/seanmonstar/hood)
 * Node.js (hapi) [blankie](https://github.com/nlf/blankie)
-* J2EE Servlet >= 3.0 [headlines](https://github.com/sourceclear/headlines)
 * ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
-* Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
+* Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security), [secure](https://github.com/TypeError/secure)
 * Go - [secureheader](https://github.com/kr/secureheader)
 * Elixir [secure_headers](https://github.com/anotherhale/secure_headers)
 * Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)
 * Ember.js [ember-cli-content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy/)
 * PHP [secure-headers](https://github.com/BePsvPT/secure-headers)
-
-## License
-
-Copyright 2013-2014 Twitter, Inc and other contributors.
-
-Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0

data/docs/cookies.md

@@ -25,7 +25,7 @@ Boolean-based configuration is intended to globally enable or disable a specific
 ```ruby
 config.cookies = {
   secure: true, # mark all cookies as Secure
-  httponly: OPT_OUT, # do not mark any cookies as HttpOnly
+  httponly: SecureHeaders::OPT_OUT, # do not mark any cookies as HttpOnly
 }
 ```
 
@@ -52,13 +52,14 @@ config.cookies = {
 }
 ```
 
-`Strict` and `Lax` enforcement modes can also be specified using a Hash.
+`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
 
 ```ruby
 config.cookies = {
   samesite: {
-    strict: { only: ['_rails_session'] },
-    lax: { only: ['_guest'] }
+    strict: { only: ['session_id_duplicate'] },
+    lax: { only: ['_guest', '_rails_session', 'device_id'] },
+    none: { only: ['_tracking', 'saml_cookie', 'session_id'] },
   }
 }
 ```

data/docs/named_overrides_and_appends.md

@@ -1,6 +1,6 @@
 ## Named Appends
 
-Named Appends are blocks of code that can be reused and composed during requests. e.g. If a certain partial is rendered conditionally, and the csp needs to be adjusted for that partial, you can create a named append for that situation. The value returned by the block will be passed into `append_content_security_policy_directives`. The current request object is passed as an argument to the block for even more flexibility.
+Named Appends are blocks of code that can be reused and composed during requests. e.g. If a certain partial is rendered conditionally, and the csp needs to be adjusted for that partial, you can create a named append for that situation. The value returned by the block will be passed into `append_content_security_policy_directives`. The current request object is passed as an argument to the block for even more flexibility. Reusing a configuration name is not allowed and will throw an exception.
 
 ```ruby
 def show
@@ -76,11 +76,6 @@ class ApplicationController < ActionController::Base
   SecureHeaders::Configuration.override(:script_from_otherdomain_com) do |config|
     config.csp[:script_src] << "otherdomain.com"
   end
-
-  # overrides the :script_from_otherdomain_com configuration
-  SecureHeaders::Configuration.override(:another_config, :script_from_otherdomain_com) do |config|
-    config.csp[:script_src] << "evenanotherdomain.com"
-  end
 end
 
 class MyController < ApplicationController
@@ -96,6 +91,8 @@ class MyController < ApplicationController
 end
 ```
 
+Reusing a configuration name is not allowed and will throw an exception.
+
 By default, a no-op configuration is provided. No headers will be set when this default override is used.
 
 ```ruby

data/docs/per_action_configuration.md

@@ -54,7 +54,7 @@ Code  | Result
 
 #### Nonce
 
-You can use a view helper to automatically add nonces to script tags:
+You can use a view helper to automatically add nonces to script tags. Currently, using a nonce helper or calling `content_security_policy_nonce` will populate all configured CSP headers, including report-only and enforced policies. 
 
 ```erb
 <%= nonced_javascript_tag do %>
@@ -120,9 +120,7 @@ You can clear the browser cache after the logout request by using the following.
 class ApplicationController < ActionController::Base
   # Configuration override to send the Clear-Site-Data header.
   SecureHeaders::Configuration.override(:clear_browser_cache) do |config|
-    config.clear_site_data = [
-      SecureHeaders::ClearSiteData::ALL_TYPES
-    ]
+    config.clear_site_data = SecureHeaders::ClearSiteData::ALL_TYPES
   end
 
 

data/docs/upgrading-to-6-0.md

@@ -5,7 +5,7 @@ The original implementation of name overrides worked by making a copy of the def
 ```ruby
 class ApplicationController < ActionController::Base
   Configuration.default do |config|
-    config.x_frame_options = OPT_OUT
+    config.x_frame_options = SecureHeaders::OPT_OUT
   end
 
   SecureHeaders::Configuration.override(:dynamic_override) do |config|
@@ -29,7 +29,7 @@ Prior to 6.0.0, the response would NOT include a `X-Frame-Options` header since
 
 ## `ContentSecurityPolicyConfig#merge` and `ContentSecurityPolicyReportOnlyConfig#merge` work more like `Hash#merge`
 
-These classes are typically not directly instantiated by users of SecureHeaders. But, if you access `config.csp` you end up accessing one of these objects. Prior to 6.0.0, `#merge` worked more like `#append` in that it would combine policies (i.e. if both policies contained the same key the values would be combined rather than overwritten). This was not consistent with `#merge!`, which worked more like ruby's `Hash#merge!` (overwriting duplicate keys). As of 6.0.0, `#merge` works the same as `#merge!`, but returns a new object instead of mutating `self`.
+These classes are typically not directly instantiated by users of SecureHeaders. But, if you access `config.csp` you end up accessing one of these objects. Prior to 6.0.0, `#merge` worked more like `#append` in that it would combine policies (i.e. if both policies contained the same key the values would be combined rather than overwritten). This was not consistent with `#merge!`, which worked more like Ruby's `Hash#merge!` (overwriting duplicate keys). As of 6.0.0, `#merge` works the same as `#merge!`, but returns a new object instead of mutating `self`.
 
 ## `Configuration#get` has been removed
 
@@ -39,7 +39,7 @@ This method is not typically directly called by users of SecureHeaders. Given th
 
 Prior to 6.0.0 SecureHeaders pre-built and cached the headers that corresponded to the default configuration. The same was also done for named overrides. However, now that named overrides are applied dynamically, those can no longer be cached. As a result, caching has been removed in the name of simplicity. Some micro-benchmarks indicate this shouldn't be a performance problem and will help to eliminate a class of bugs entirely.
 
-## Configuration the default configuration more than once will result in an Exception
+## Calling the default configuration more than once will result in an Exception
 
 Prior to 6.0.0 you could conceivably, though unlikely, have `Configure#default` called more than once. Because configurations are dynamic, configuring more than once could result in unexpected behavior. So, as of 6.0.0 we raise `AlreadyConfiguredError` if the default configuration is setup more than once.
 
@@ -47,4 +47,4 @@ Prior to 6.0.0 you could conceivably, though unlikely, have `Configure#default`
 
 The policy configured is the policy that is delivered in terms of which directives are sent. We still dedup, strip schemes, and look for other optimizations but we will not e.g. conditionally send `frame-src` / `child-src` or apply `nonce`s / `unsafe-inline`.
 
-The primary reason for these per-browser customization was to reduce console warnings. This has lead to many bugs and results inc confusing behavior. Also, console logs are incredibly noisy today and increasingly warn you about perfectly valid things (like sending `X-Frame-Options` and `frame-ancestors` together).
+The primary reason for these per-browser customization was to reduce console warnings. This has lead to many bugs and results in confusing behavior. Also, console logs are incredibly noisy today and increasingly warn you about perfectly valid things (like sending `X-Frame-Options` and `frame-ancestors` together).

data/lib/secure_headers/configuration.rb

@@ -43,6 +43,9 @@ module SecureHeaders
       def override(name, &block)
         @overrides ||= {}
         raise "Provide a configuration block" unless block_given?
+        if named_append_or_override_exists?(name)
+          raise AlreadyConfiguredError, "Configuration already exists"
+        end
         @overrides[name] = block
       end
 
@@ -59,6 +62,9 @@ module SecureHeaders
       def named_append(name, &block)
         @appends ||= {}
         raise "Provide a configuration block" unless block_given?
+        if named_append_or_override_exists?(name)
+          raise AlreadyConfiguredError, "Configuration already exists"
+        end
         @appends[name] = block
       end
 
@@ -68,17 +74,26 @@ module SecureHeaders
 
       private
 
+      def named_append_or_override_exists?(name)
+        (defined?(@appends) && @appends.key?(name)) ||
+          (defined?(@overrides) && @overrides.key?(name))
+      end
+
       # Public: perform a basic deep dup. The shallow copy provided by dup/clone
       # can lead to modifying parent objects.
       def deep_copy(config)
         return unless config
-        config.each_with_object({}) do |(key, value), hash|
-          hash[key] = if value.is_a?(Array)
-            value.dup
-          else
-            value
-          end
+        result = {}
+        config.each_pair do |key, value|
+          result[key] =
+            case value
+            when Array
+              value.dup
+            else
+              value
+            end
         end
+        result
       end
 
       # Private: Returns the internal default configuration. This should only
@@ -115,7 +130,6 @@ module SecureHeaders
       expect_certificate_transparency: ExpectCertificateTransparency,
       csp: ContentSecurityPolicy,
       csp_report_only: ContentSecurityPolicy,
-      hpkp: PublicKeyPins,
       cookies: Cookie,
     }.freeze
 
@@ -127,7 +141,9 @@ module SecureHeaders
     # The list of attributes that must respond to a `make_header` method
     HEADERABLE_ATTRIBUTES = (CONFIG_ATTRIBUTES - [:cookies]).freeze
 
-    attr_accessor(*CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys)
+    attr_writer(*(CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.reject { |key| [:csp, :csp_report_only].include?(key) }.keys))
+
+    attr_reader(*(CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys))
 
     @script_hashes = nil
     @style_hashes = nil
@@ -144,7 +160,6 @@ module SecureHeaders
       @clear_site_data = nil
       @csp = nil
       @csp_report_only = nil
-      @hpkp = nil
       @hsts = nil
       @x_content_type_options = nil
       @x_download_options = nil
@@ -153,7 +168,6 @@ module SecureHeaders
       @x_xss_protection = nil
       @expect_certificate_transparency = nil
 
-      self.hpkp = OPT_OUT
       self.referrer_policy = OPT_OUT
       self.csp = ContentSecurityPolicyConfig.new(ContentSecurityPolicyConfig::DEFAULT)
       self.csp_report_only = OPT_OUT
@@ -178,7 +192,6 @@ module SecureHeaders
       copy.clear_site_data = @clear_site_data
       copy.expect_certificate_transparency = @expect_certificate_transparency
       copy.referrer_policy = @referrer_policy
-      copy.hpkp = @hpkp
       copy
     end
 
@@ -263,10 +276,5 @@ module SecureHeaders
         raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
       end
     end
-
-    def hpkp_report_host
-      return nil unless @hpkp && hpkp != OPT_OUT && @hpkp[:report_uri]
-      URI.parse(@hpkp[:report_uri]).host
-    end
   end
 end