secure_headers 6.0.0 → 6.7.0

data/secure_headers.gemspec

@@ -1,16 +1,20 @@
-# -*- encoding: utf-8 -*-
 # frozen_string_literal: true
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "secure_headers/version"
+
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "6.0.0"
+  gem.version       = SecureHeaders::VERSION
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
-  gem.description   = "Manages application of security headers with many safe defaults."
-  gem.summary       = 'Add easily configured security headers to responses
+  gem.summary       = "Manages application of security headers with many safe defaults."
+  gem.description   = 'Add easily configured security headers to responses
     including content-security-policy, x-frame-options,
     strict-transport-security, etc.'
   gem.homepage      = "https://github.com/twitter/secureheaders"
-  gem.license       = "Apache Public License 2.0"
+  gem.license       = "MIT"
   gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
   gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})

data/spec/lib/secure_headers/configuration_spec.rb

@@ -34,6 +34,60 @@ module SecureHeaders
       expect(Configuration.overrides(:test_override)).to_not be_nil
     end
 
+    describe "#override" do
+      it "raises on configuring an existing override" do
+        set_override = Proc.new {
+          Configuration.override(:test_override) do |config|
+            config.x_frame_options = "DENY"
+          end
+        }
+
+        set_override.call
+
+        expect { set_override.call }
+          .to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+
+      it "raises when a named append with the given name exists" do
+        Configuration.named_append(:test_override) do |config|
+          config.x_frame_options = "DENY"
+        end
+
+        expect do
+          Configuration.override(:test_override) do |config|
+            config.x_frame_options = "SAMEORIGIN"
+          end
+        end.to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+    end
+
+    describe "#named_append" do
+      it "raises on configuring an existing append" do
+        set_override = Proc.new {
+          Configuration.named_append(:test_override) do |config|
+            config.x_frame_options = "DENY"
+          end
+        }
+
+        set_override.call
+
+        expect { set_override.call }
+          .to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+
+      it "raises when an override with the given name exists" do
+        Configuration.override(:test_override) do |config|
+          config.x_frame_options = "DENY"
+        end
+
+        expect do
+          Configuration.named_append(:test_override) do |config|
+            config.x_frame_options = "SAMEORIGIN"
+          end
+        end.to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+    end
+
     it "deprecates the secure_cookies configuration" do
       expect {
         Configuration.default do |config|

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -28,6 +28,16 @@ module SecureHeaders
         expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
       end
 
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a ; in "google.com;script-src *;.;" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
+      end
+
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a \n in "\\nfoo.com\\nhacked" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: ["\nfoo.com\nhacked"]).value).to eq("frame-ancestors  foo.com hacked")
+      end
+
       it "discards 'none' values if any other source expressions are present" do
         csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
         expect(csp.value).not_to include("'none'")
@@ -38,12 +48,12 @@ module SecureHeaders
         expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval' data: blob:")
       end
 
-      it "minifies source expressions based on overlapping wildcards" do
+      it "does not minify source expressions based on overlapping wildcards" do
         config = {
           default_src: %w(a.example.org b.example.org *.example.org https://*.example.org)
         }
         csp = ContentSecurityPolicy.new(config)
-        expect(csp.value).to eq("default-src *.example.org")
+        expect(csp.value).to eq("default-src a.example.org b.example.org *.example.org")
       end
 
       it "removes http/s schemes from hosts" do
@@ -82,20 +92,30 @@ module SecureHeaders
       end
 
       it "does add a boolean directive if the value is true" do
-        csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: true)
-        expect(csp.value).to eq("default-src example.org; block-all-mixed-content; upgrade-insecure-requests")
+        csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], upgrade_insecure_requests: true)
+        expect(csp.value).to eq("default-src example.org; upgrade-insecure-requests")
       end
 
       it "does not add a boolean directive if the value is false" do
-        csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: false)
-        expect(csp.value).to eq("default-src example.org; block-all-mixed-content")
+        csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], upgrade_insecure_requests: false)
+        expect(csp.value).to eq("default-src example.org")
       end
 
-      it "deduplicates any source expressions" do
-        csp = ContentSecurityPolicy.new(default_src: %w(example.org example.org example.org))
+      it "handles wildcard subdomain with wildcard port" do
+        csp = ContentSecurityPolicy.new(default_src: %w(https://*.example.org:*))
+        expect(csp.value).to eq("default-src *.example.org:*")
+      end
+
+      it "deduplicates source expressions that match exactly (after scheme stripping)" do
+        csp = ContentSecurityPolicy.new(default_src: %w(example.org https://example.org example.org))
         expect(csp.value).to eq("default-src example.org")
       end
 
+      it "does not deduplicate non-matching schema source expressions" do
+        csp = ContentSecurityPolicy.new(default_src: %w(*.example.org wss://example.example.org))
+        expect(csp.value).to eq("default-src *.example.org wss://example.example.org")
+      end
+
       it "creates maximally strict sandbox policy when passed no sandbox token values" do
         csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: [])
         expect(csp.value).to eq("default-src example.org; sandbox")
@@ -116,10 +136,80 @@ module SecureHeaders
         ContentSecurityPolicy.new(default_src: %w('self'), frame_src: %w('self')).value
       end
 
+      it "allows script as a require-sri-src" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), require_sri_for: %w(script))
+        expect(csp.value).to eq("default-src 'self'; require-sri-for script")
+      end
+
+      it "allows style as a require-sri-src" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), require_sri_for: %w(style))
+        expect(csp.value).to eq("default-src 'self'; require-sri-for style")
+      end
+
+      it "allows script and style as a require-sri-src" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), require_sri_for: %w(script style))
+        expect(csp.value).to eq("default-src 'self'; require-sri-for script style")
+      end
+
+      it "allows style as a require-trusted-types-for source" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), require_trusted_types_for: %w(script))
+        expect(csp.value).to eq("default-src 'self'; require-trusted-types-for script")
+      end
+
+      it "includes prefetch-src" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), prefetch_src: %w(foo.com))
+        expect(csp.value).to eq("default-src 'self'; prefetch-src foo.com")
+      end
+
+      it "includes navigate-to" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), navigate_to: %w(foo.com))
+        expect(csp.value).to eq("default-src 'self'; navigate-to foo.com")
+      end
+
       it "supports strict-dynamic" do
         csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456})
         expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456' 'unsafe-inline'")
       end
+
+      it "supports strict-dynamic and opting out of the appended 'unsafe-inline'" do
+        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456, disable_nonce_backwards_compatibility: true })
+        expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
+      end
+
+      it "supports script-src-elem directive" do
+        csp = ContentSecurityPolicy.new({script_src: %w('self'), script_src_elem: %w('self')})
+        expect(csp.value).to eq("script-src 'self'; script-src-elem 'self'")
+      end
+
+      it "supports script-src-attr directive" do
+        csp = ContentSecurityPolicy.new({script_src: %w('self'), script_src_attr: %w('self')})
+        expect(csp.value).to eq("script-src 'self'; script-src-attr 'self'")
+      end
+
+      it "supports style-src-elem directive" do
+        csp = ContentSecurityPolicy.new({style_src: %w('self'), style_src_elem: %w('self')})
+        expect(csp.value).to eq("style-src 'self'; style-src-elem 'self'")
+      end
+
+      it "supports style-src-attr directive" do
+        csp = ContentSecurityPolicy.new({style_src: %w('self'), style_src_attr: %w('self')})
+        expect(csp.value).to eq("style-src 'self'; style-src-attr 'self'")
+      end
+
+      it "supports trusted-types directive" do
+        csp = ContentSecurityPolicy.new({trusted_types: %w(blahblahpolicy)})
+        expect(csp.value).to eq("trusted-types blahblahpolicy")
+      end
+
+      it "supports trusted-types directive with 'none'" do
+        csp = ContentSecurityPolicy.new({trusted_types: %w('none')})
+        expect(csp.value).to eq("trusted-types 'none'")
+      end
+
+      it "allows duplicate policy names in trusted-types directive" do
+        csp = ContentSecurityPolicy.new({trusted_types: %w(blahblahpolicy 'allow-duplicates')})
+        expect(csp.value).to eq("trusted-types blahblahpolicy 'allow-duplicates'")
+      end
     end
   end
 end

data/spec/lib/secure_headers/headers/cookie_spec.rb

@@ -68,29 +68,21 @@ module SecureHeaders
     end
 
     context "SameSite cookies" do
-      it "flags SameSite=Lax" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
-      end
-
-      it "flags SameSite=Lax when configured with a boolean" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: true}, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
-      end
-
-      it "does not flag cookies as SameSite=Lax when excluded" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest")
-      end
+      %w(None Lax Strict).each do |flag|
+        it "flags SameSite=#{flag}" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
+        end
 
-      it "flags SameSite=Strict" do
-        cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
-      end
+        it "flags SameSite=#{flag} when configured with a boolean" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => true}, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
+        end
 
-      it "does not flag cookies as SameSite=Strict when excluded" do
-        cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] }}, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest")
+        it "does not flag cookies as SameSite=#{flag} when excluded" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest")
+        end
       end
 
       it "flags SameSite=Strict when configured with a boolean" do
@@ -149,10 +141,15 @@ module SecureHeaders
       end.to raise_error(CookiesConfigError)
     end
 
-    it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
-      expect do
-        Cookie.validate_config!(samesite: { lax: true, strict: true})
-      end.to raise_error(CookiesConfigError)
+    cookie_options = %i(none lax strict)
+    cookie_options.each do |flag|
+      (cookie_options - [flag]).each do |other_flag|
+        it "raises an exception when SameSite #{flag} and #{other_flag} enforcement modes are configured with booleans" do
+          expect do
+            Cookie.validate_config!(samesite: { flag => true, other_flag => true})
+          end.to raise_error(CookiesConfigError)
+        end
+      end
     end
 
     it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -28,24 +28,34 @@ module SecureHeaders
 
           # directive values: these values will directly translate into source directives
           default_src: %w(https: 'self'),
-          frame_src: %w('self' *.twimg.com itunes.apple.com),
-          child_src: %w('self' *.twimg.com itunes.apple.com),
+
+          base_uri: %w('self'),
           connect_src: %w(wss:),
+          child_src: %w('self' *.twimg.com itunes.apple.com),
           font_src: %w('self' data:),
+          form_action: %w('self' github.com),
+          frame_ancestors: %w('none'),
+          frame_src: %w('self' *.twimg.com itunes.apple.com),
           img_src: %w(mycdn.com data:),
           manifest_src: %w(manifest.com),
           media_src: %w(utoob.com),
+          navigate_to: %w(netscape.com),
           object_src: %w('self'),
+          plugin_types: %w(application/x-shockwave-flash),
+          prefetch_src: %w(fetch.com),
+          require_sri_for: %w(script style),
+          require_trusted_types_for: %w('script'),
           script_src: %w('self'),
           style_src: %w('unsafe-inline'),
-          worker_src: %w(worker.com),
-          base_uri: %w('self'),
-          form_action: %w('self' github.com),
-          frame_ancestors: %w('none'),
-          plugin_types: %w(application/x-shockwave-flash),
-          block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
           upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
-          report_uri: %w(https://example.com/uri-directive)
+          worker_src: %w(worker.com),
+          script_src_elem: %w(example.com),
+          script_src_attr: %w(example.com),
+          style_src_elem: %w(example.com),
+          style_src_attr: %w(example.com),
+          trusted_types: %w(abcpolicy),
+
+          report_uri: %w(https://example.com/uri-directive),
         }
 
         ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(config))
@@ -81,12 +91,6 @@ module SecureHeaders
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
-      it "requires :block_all_mixed_content to be a boolean value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(block_all_mixed_content: "steve")))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
       it "requires :upgrade_insecure_requests to be a boolean value" do
         expect do
           ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(upgrade_insecure_requests: "steve")))
@@ -111,6 +115,12 @@ module SecureHeaders
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
+      it "rejects style for trusted types" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(style_src: %w('self'), require_trusted_types_for: %w(script style), trusted_types: %w(abcpolicy))))
+        end
+      end
+
       # this is mostly to ensure people don't use the antiquated shorthands common in other configs
       it "performs light validation on source lists" do
         expect do
@@ -227,18 +237,18 @@ module SecureHeaders
         expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
       end
 
-      it "overrides the :block_all_mixed_content flag" do
+      it "overrides the :upgrade_insecure_requests flag" do
         Configuration.default do |config|
           config.csp = {
             default_src: %w(https:),
             script_src: %w('self'),
-            block_all_mixed_content: false
+            upgrade_insecure_requests: false
           }
         end
         default_policy = Configuration.dup
-        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, block_all_mixed_content: true)
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, upgrade_insecure_requests: true)
         csp = ContentSecurityPolicy.new(combined_config)
-        expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
+        expect(csp.value).to eq("default-src https:; script-src 'self'; upgrade-insecure-requests")
       end
 
       it "raises an error if appending to a OPT_OUT policy" do

data/spec/lib/secure_headers/middleware_spec.rb

@@ -14,25 +14,6 @@ module SecureHeaders
       Configuration.default
     end
 
-    it "warns if the hpkp report-uri host is the same as the current host" do
-      report_host = "report-uri.io"
-      reset_config
-      Configuration.default do |config|
-        config.hpkp = {
-          max_age: 10000000,
-          pins: [
-            {sha256: "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c"},
-            {sha256: "73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f"}
-          ],
-          report_uri: "https://#{report_host}/example-hpkp"
-        }
-      end
-
-      expect(Kernel).to receive(:warn).with(Middleware::HPKP_SAME_HOST_WARNING)
-
-      middleware.call(Rack::MockRequest.env_for("https://#{report_host}", {}))
-    end
-
     it "sets the headers" do
       _, env = middleware.call(Rack::MockRequest.env_for("https://looocalhost", {}))
       expect_default_values(env)

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -6,7 +6,7 @@ class Message < ERB
   include SecureHeaders::ViewHelpers
 
   def self.template
-<<-TEMPLATE
+    <<-TEMPLATE
 <% hashed_javascript_tag(raise_error_on_unrecognized_hash = true) do %>
   console.log(1)
 <% end %>
@@ -62,9 +62,10 @@ TEMPLATE
   end
 
   def content_tag(type, content = nil, options = nil, &block)
-    content = if block_given?
-      capture(block)
-    end
+    content =
+      if block_given?
+        capture(block)
+      end
 
     if options.is_a?(Hash)
       options = options.map { |k, v| " #{k}=#{v}" }

data/spec/lib/secure_headers_spec.rb

@@ -90,16 +90,6 @@ module SecureHeaders
         Configuration.default do |config|
           config.csp = { default_src: ["example.com"], script_src: %w('self') }
           config.csp_report_only = config.csp
-          config.hpkp = {
-            report_only: false,
-            max_age: 10000000,
-            include_subdomains: true,
-            report_uri: "https://report-uri.io/example-hpkp",
-            pins: [
-              {sha256: "abc"},
-              {sha256: "123"}
-            ]
-          }
         end
         SecureHeaders.opt_out_of_all_protection(request)
         hash = SecureHeaders.header_hash_for(request)
@@ -141,23 +131,6 @@ module SecureHeaders
         expect(SecureHeaders.header_hash_for(plaintext_request)[StrictTransportSecurity::HEADER_NAME]).to be_nil
       end
 
-      it "does not set the HPKP header if request is over HTTP" do
-        plaintext_request = Rack::Request.new({})
-        Configuration.default do |config|
-          config.hpkp = {
-            max_age: 1_000_000,
-            include_subdomains: true,
-            report_uri: "//example.com/uri-directive",
-            pins: [
-              { sha256: "abc" },
-              { sha256: "123" }
-            ]
-          }
-        end
-
-        expect(SecureHeaders.header_hash_for(plaintext_request)[PublicKeyPins::HEADER_NAME]).to be_nil
-      end
-
       context "content security policy" do
         let(:chrome_request) {
           Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:chrome]))
@@ -531,14 +504,6 @@ module SecureHeaders
         end.to raise_error(ReferrerPolicyConfigError)
       end
 
-      it "validates your hpkp config upon configuration" do
-        expect do
-          Configuration.default do |config|
-            config.hpkp = "lol"
-          end
-        end.to raise_error(PublicKeyPinsConfigError)
-      end
-
       it "validates your cookies config upon configuration" do
         expect do
           Configuration.default do |config|

data/spec/spec_helper.rb

@@ -37,7 +37,6 @@ def expect_default_values(hash)
   expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
   expect(hash[SecureHeaders::ClearSiteData::HEADER_NAME]).to be_nil
   expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
-  expect(hash[SecureHeaders::PublicKeyPins::HEADER_NAME]).to be_nil
 end
 
 module SecureHeaders
@@ -46,10 +45,20 @@ module SecureHeaders
       def clear_default_config
         remove_instance_variable(:@default_config) if defined?(@default_config)
       end
+
+      def clear_overrides
+        remove_instance_variable(:@overrides) if defined?(@overrides)
+      end
+
+      def clear_appends
+        remove_instance_variable(:@appends) if defined?(@appends)
+      end
     end
   end
 end
 
 def reset_config
   SecureHeaders::Configuration.clear_default_config
+  SecureHeaders::Configuration.clear_overrides
+  SecureHeaders::Configuration.clear_appends
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.0.0
+  version: 6.7.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-08 00:00:00.000000000 Z
+date: 2024-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -24,7 +24,10 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Manages application of security headers with many safe defaults.
+description: |-
+  Add easily configured security headers to responses
+      including content-security-policy, x-frame-options,
+      strict-transport-security, etc.
 email:
 - neil.matatall@gmail.com
 executables: []
@@ -33,12 +36,14 @@ extra_rdoc_files: []
 files:
 - ".github/ISSUE_TEMPLATE.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
+- ".github/dependabot.yml"
+- ".github/workflows/build.yml"
+- ".github/workflows/github-release.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
 - ".ruby-gemset"
 - ".ruby-version"
-- ".travis.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
@@ -65,7 +70,6 @@ files:
 - lib/secure_headers/headers/cookie.rb
 - lib/secure_headers/headers/expect_certificate_transparency.rb
 - lib/secure_headers/headers/policy_management.rb
-- lib/secure_headers/headers/public_key_pins.rb
 - lib/secure_headers/headers/referrer_policy.rb
 - lib/secure_headers/headers/strict_transport_security.rb
 - lib/secure_headers/headers/x_content_type_options.rb
@@ -76,6 +80,7 @@ files:
 - lib/secure_headers/middleware.rb
 - lib/secure_headers/railtie.rb
 - lib/secure_headers/utils/cookies_config.rb
+- lib/secure_headers/version.rb
 - lib/secure_headers/view_helper.rb
 - lib/tasks/tasks.rake
 - secure_headers.gemspec
@@ -85,7 +90,6 @@ files:
 - spec/lib/secure_headers/headers/cookie_spec.rb
 - spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
-- spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/referrer_policy_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
 - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
@@ -99,7 +103,7 @@ files:
 - spec/spec_helper.rb
 homepage: https://github.com/twitter/secureheaders
 licenses:
-- Apache Public License 2.0
+- MIT
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -116,12 +120,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
-summary: Add easily configured security headers to responses including content-security-policy,
-  x-frame-options, strict-transport-security, etc.
+summary: Manages application of security headers with many safe defaults.
 test_files:
 - spec/lib/secure_headers/configuration_spec.rb
 - spec/lib/secure_headers/headers/clear_site_data_spec.rb
@@ -129,7 +131,6 @@ test_files:
 - spec/lib/secure_headers/headers/cookie_spec.rb
 - spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
-- spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/referrer_policy_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
 - spec/lib/secure_headers/headers/x_content_type_options_spec.rb

data/.travis.yml

@@ -1,29 +0,0 @@
-language: ruby
-
-rvm:
-  - ruby-head
-  - 2.5.0
-  - 2.4.3
-  - 2.3.6
-  - 2.2.9
-  - jruby-head
-
-env:
-  - SUITE=rspec spec
-  - SUITE=rubocop
-
-script: bundle exec $SUITE
-
-matrix:
-  allow_failures:
-    - rvm: jruby-head
-    - rvm: ruby-head
-
-before_install:
-  - gem update --system
-  - gem --version
-  - gem update bundler
-bundler_args: --without guard -j 3
-
-sudo: false
-cache: bundler