secure_headers 6.7.0 → 7.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/build.yml +7 -6
  3. data/README.md +1 -1
  4. data/docs/upgrading-to-7-0.md +12 -0
  5. data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
  6. data/lib/secure_headers/version.rb +1 -1
  7. data/secure_headers.gemspec +1 -1
  8. metadata +4 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6919954e57f87c70a4fa42baa5285649bd7484ec6785894a2b461b6f52558f29
4
- data.tar.gz: 710492a0e64a47f41f2b079e6d4799922aa05e51d017cacafcc20d77383815ee
3
+ metadata.gz: df732bcf03768407849220aa164adc5b05c741d3ffcaea00d80758bd936d4e65
4
+ data.tar.gz: d979d4a8892a101b2efbeba1fc2fd3fbeffa154d9e429aaf7a5ff73d889bbdac
5
5
  SHA512:
6
- metadata.gz: efd8e608dfeafc5d7e7fcd06274b0b8ed0c640744ab9d8113597bef916f31666cbf518b1dcd6869d7af42fbcbaf15a6a4cf8100b97fcbf52f5ba790e495e26c0
7
- data.tar.gz: dcc504641e1c22b24a05c76534e2f8ba7a7fd5ff1b5f891eb467d23876c60900ef235d2dd4ba49af4352b23ffd1cd246c720aff79668244b6a10cec3aab8ed6f
6
+ metadata.gz: be8e613fe594063d0921ee9e971c43522cf4d434ef1ae958a15a20cb9cf07d74180803323c90cafe9ac1cb9c09377110d3757f4b4a0b91774401fe09dff1da40
7
+ data.tar.gz: 47471941c3192cfff7e3fc1d2442a2c5106334a192cede9e8aa432ce7c7906eeb369ad528989932e33e6fdae02853c37c90609be47ce1b256634af9d6455d379
data/.github/workflows/build.yml CHANGED
@@ -1,6 +1,9 @@
1
1
  name: Build + Test
2
2
  on: [pull_request, push]
3
3
 
4
+ permissions:
5
+ contents: read
6
+
4
7
  jobs:
5
8
  build:
6
9
  name: Build + Test
@@ -10,15 +13,13 @@ jobs:
10
13
  ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
11
14
 
12
15
  steps:
13
- - uses: actions/checkout@v3
16
+ - uses: actions/checkout@v4
14
17
  - name: Set up Ruby ${{ matrix.ruby }}
15
- uses: ruby/setup-ruby@v1
18
+ uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 #v1.190.0 tag
16
19
  with:
17
20
  ruby-version: ${{ matrix.ruby }}
21
+ bundler-cache: true
18
22
  - name: Build and test with Rake
19
23
  run: |
20
- gem install bundler
21
- bundle install --jobs 4 --retry 3 --without guard
22
- bundle exec rspec spec
23
24
  bundle exec rubocop
24
-
25
+ bundle exec rspec spec
data/README.md CHANGED
@@ -105,7 +105,7 @@ X-Content-Type-Options: nosniff
105
105
  X-Download-Options: noopen
106
106
  X-Frame-Options: sameorigin
107
107
  X-Permitted-Cross-Domain-Policies: none
108
- X-Xss-Protection: 1; mode=block
108
+ X-Xss-Protection: 0
109
109
  ```
110
110
 
111
111
  ## API configurations
data/docs/upgrading-to-7-0.md ADDED
@@ -0,0 +1,12 @@
1
+ ## X-Xss-Protection is set to 0 by default
2
+
3
+ Version 6 and below of `secure_headers` set the `X-Xss-Protection` to `1; mode=block` by default. This was done to protect against reflected XSS attacks. However, this header is no longer recommended (see https://github.com/github/secure_headers/issues/439 for more information).
4
+
5
+ If any functionality in your app depended on this header being set to the previous value, you will need to set it explicitly in your configuration.
6
+
7
+ ```ruby
8
+ # config/initializers/secure_headers.rb
9
+ SecureHeaders::Configuration.default do |config|
10
+ config.x_xss_protection = "1; mode=block"
11
+ end
12
+ ```
data/lib/secure_headers/headers/x_xss_protection.rb CHANGED
@@ -3,7 +3,7 @@ module SecureHeaders
3
3
  class XXssProtectionConfigError < StandardError; end
4
4
  class XXssProtection
5
5
  HEADER_NAME = "X-XSS-Protection".freeze
6
- DEFAULT_VALUE = "1; mode=block"
6
+ DEFAULT_VALUE = "0".freeze
7
7
  VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
8
8
 
9
9
  class << self
data/lib/secure_headers/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SecureHeaders
4
- VERSION = "6.7.0"
4
+ VERSION = "7.0.0"
5
5
  end
data/secure_headers.gemspec CHANGED
@@ -13,7 +13,7 @@ Gem::Specification.new do |gem|
13
13
  gem.description = 'Add easily configured security headers to responses
14
14
  including content-security-policy, x-frame-options,
15
15
  strict-transport-security, etc.'
16
- gem.homepage = "https://github.com/twitter/secureheaders"
16
+ gem.homepage = "https://github.com/github/secure_headers"
17
17
  gem.license = "MIT"
18
18
  gem.files = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
19
19
  gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.7.0
4
+ version: 7.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-08-09 00:00:00.000000000 Z
11
+ date: 2024-10-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -61,6 +61,7 @@ files:
61
61
  - docs/upgrading-to-4-0.md
62
62
  - docs/upgrading-to-5-0.md
63
63
  - docs/upgrading-to-6-0.md
64
+ - docs/upgrading-to-7-0.md
64
65
  - lib/secure_headers.rb
65
66
  - lib/secure_headers/configuration.rb
66
67
  - lib/secure_headers/hash_helper.rb
@@ -101,7 +102,7 @@ files:
101
102
  - spec/lib/secure_headers/view_helpers_spec.rb
102
103
  - spec/lib/secure_headers_spec.rb
103
104
  - spec/spec_helper.rb
104
- homepage: https://github.com/twitter/secureheaders
105
+ homepage: https://github.com/github/secure_headers
105
106
  licenses:
106
107
  - MIT
107
108
  metadata: {}