secure_headers 6.7.0 → 7.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (59) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +13 -13
  3. data/lib/secure_headers/configuration.rb +1 -1
  4. data/lib/secure_headers/headers/clear_site_data.rb +4 -4
  5. data/lib/secure_headers/headers/content_security_policy.rb +2 -2
  6. data/lib/secure_headers/headers/content_security_policy_config.rb +2 -2
  7. data/lib/secure_headers/headers/expect_certificate_transparency.rb +2 -2
  8. data/lib/secure_headers/headers/policy_management.rb +2 -2
  9. data/lib/secure_headers/headers/referrer_policy.rb +1 -1
  10. data/lib/secure_headers/headers/strict_transport_security.rb +1 -1
  11. data/lib/secure_headers/headers/x_content_type_options.rb +1 -1
  12. data/lib/secure_headers/headers/x_download_options.rb +2 -2
  13. data/lib/secure_headers/headers/x_frame_options.rb +1 -1
  14. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +2 -2
  15. data/lib/secure_headers/headers/x_xss_protection.rb +2 -2
  16. data/lib/secure_headers/railtie.rb +5 -5
  17. data/lib/secure_headers/version.rb +1 -1
  18. data/secure_headers.gemspec +14 -4
  19. metadata +15 -63
  20. data/.github/ISSUE_TEMPLATE.md +0 -41
  21. data/.github/PULL_REQUEST_TEMPLATE.md +0 -20
  22. data/.github/dependabot.yml +0 -6
  23. data/.github/workflows/build.yml +0 -24
  24. data/.github/workflows/github-release.yml +0 -28
  25. data/.gitignore +0 -13
  26. data/.rspec +0 -3
  27. data/.rubocop.yml +0 -4
  28. data/.ruby-gemset +0 -1
  29. data/.ruby-version +0 -1
  30. data/CODE_OF_CONDUCT.md +0 -46
  31. data/CONTRIBUTING.md +0 -41
  32. data/Guardfile +0 -13
  33. data/Rakefile +0 -32
  34. data/docs/cookies.md +0 -65
  35. data/docs/hashes.md +0 -64
  36. data/docs/named_overrides_and_appends.md +0 -104
  37. data/docs/per_action_configuration.md +0 -139
  38. data/docs/sinatra.md +0 -25
  39. data/docs/upgrading-to-3-0.md +0 -42
  40. data/docs/upgrading-to-4-0.md +0 -35
  41. data/docs/upgrading-to-5-0.md +0 -15
  42. data/docs/upgrading-to-6-0.md +0 -50
  43. data/spec/lib/secure_headers/configuration_spec.rb +0 -121
  44. data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +0 -87
  45. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +0 -215
  46. data/spec/lib/secure_headers/headers/cookie_spec.rb +0 -179
  47. data/spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb +0 -42
  48. data/spec/lib/secure_headers/headers/policy_management_spec.rb +0 -265
  49. data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +0 -91
  50. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +0 -33
  51. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +0 -31
  52. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +0 -29
  53. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +0 -36
  54. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +0 -48
  55. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +0 -47
  56. data/spec/lib/secure_headers/middleware_spec.rb +0 -117
  57. data/spec/lib/secure_headers/view_helpers_spec.rb +0 -192
  58. data/spec/lib/secure_headers_spec.rb +0 -516
  59. data/spec/spec_helper.rb +0 -64
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6919954e57f87c70a4fa42baa5285649bd7484ec6785894a2b461b6f52558f29
4
- data.tar.gz: 710492a0e64a47f41f2b079e6d4799922aa05e51d017cacafcc20d77383815ee
3
+ metadata.gz: 484062b599a7d8ca3ad93c0b91bd6f88b9f80eb7b3f5106fbb4b94b0ae7a82f9
4
+ data.tar.gz: 68c9dc56b62c0d0c77f166e08ae24e6f13dadcda1a9ebaff8b18e4dad0177fa9
5
5
  SHA512:
6
- metadata.gz: efd8e608dfeafc5d7e7fcd06274b0b8ed0c640744ab9d8113597bef916f31666cbf518b1dcd6869d7af42fbcbaf15a6a4cf8100b97fcbf52f5ba790e495e26c0
7
- data.tar.gz: dcc504641e1c22b24a05c76534e2f8ba7a7fd5ff1b5f891eb467d23876c60900ef235d2dd4ba49af4352b23ffd1cd246c720aff79668244b6a10cec3aab8ed6f
6
+ metadata.gz: 63969aa532b3aa321b2e848764e1ddcbbd9e36fc57bd0e2d98bb4f8ede7c94e32ec6d2aef3f81581d99c1bc623c108d159be635e8df238390304077360fa6f9f
7
+ data.tar.gz: fbc1a3a713680ac487ad16185176ebb5cbdce5416bdd9e765faf0757aa0c10a8ef71b825225bfaf40a66c16ce955edacb2deeedc910e14264bd5b8469be8805d
data/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # Secure Headers ![Build + Test](https://github.com/github/secure_headers/workflows/Build%20+%20Test/badge.svg?branch=main)
2
2
 
3
- **main branch represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
3
+ **main branch represents 7.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), [upgrading to 6.x doc](docs/upgrading-to-6-0.md) or [upgrading to 7.x doc](docs/upgrading-to-7-0.md) for instructions on how to upgrade. Bug fixes should go in the `6.x` branch for now.
4
4
 
5
5
  The gem will automatically apply several headers that are related to security. This includes:
6
6
  - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](https://www.w3.org/TR/CSP2/)
@@ -11,11 +11,11 @@ The gem will automatically apply several headers that are related to security.
11
11
  - X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options Specification](https://tools.ietf.org/html/rfc7034)
12
12
  - X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](https://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
13
13
  - X-Content-Type-Options - [Prevent content type sniffing](https://msdn.microsoft.com/library/gg622941\(v=vs.85\).aspx)
14
- - X-Download-Options - [Prevent file downloads opening](https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx)
15
- - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
16
- - Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
17
- - Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
18
- - Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
14
+ - x-download-options - [Prevent file downloads opening](https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx)
15
+ - x-permitted-cross-domain-policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
16
+ - referrer-policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
17
+ - expect-ct - Only use certificates that are present in the certificate transparency logs. [expect-ct draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
18
+ - clear-site-data - Clearing browser data for origin. [clear-site-data specification](https://w3c.github.io/webappsec-clear-site-data/).
19
19
 
20
20
  It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using `config.cookies = SecureHeaders::OPT_OUT`.
21
21
 
@@ -99,13 +99,13 @@ end
99
99
  All headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:
100
100
 
101
101
  ```
102
- Content-Security-Policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'
103
- Strict-Transport-Security: max-age=631138519
104
- X-Content-Type-Options: nosniff
105
- X-Download-Options: noopen
106
- X-Frame-Options: sameorigin
107
- X-Permitted-Cross-Domain-Policies: none
108
- X-Xss-Protection: 1; mode=block
102
+ content-security-policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'
103
+ strict-transport-security: max-age=631138519
104
+ x-content-type-options: nosniff
105
+ x-download-options: noopen
106
+ x-frame-options: sameorigin
107
+ x-permitted-cross-domain-policies: none
108
+ x-xss-protection: 0
109
109
  ```
110
110
 
111
111
  ## API configurations
@@ -256,7 +256,7 @@ module SecureHeaders
256
256
  end
257
257
  end
258
258
 
259
- # Configures the Content-Security-Policy-Report-Only header. `new_csp` cannot
259
+ # Configures the content-security-policy-report-only header. `new_csp` cannot
260
260
  # contain `report_only: false` or an error will be raised.
261
261
  #
262
262
  # NOTE: if csp has not been configured/has the default value when
@@ -2,7 +2,7 @@
2
2
  module SecureHeaders
3
3
  class ClearSiteDataConfigError < StandardError; end
4
4
  class ClearSiteData
5
- HEADER_NAME = "Clear-Site-Data".freeze
5
+ HEADER_NAME = "clear-site-data".freeze
6
6
 
7
7
  # Valid `types`
8
8
  CACHE = "cache".freeze
@@ -12,7 +12,7 @@ module SecureHeaders
12
12
  ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
13
13
 
14
14
  class << self
15
- # Public: make an Clear-Site-Data header name, value pair
15
+ # Public: make an clear-site-data header name, value pair
16
16
  #
17
17
  # Returns nil if not configured, returns header name and value if configured.
18
18
  def make_header(config = nil, user_agent = nil)
@@ -39,8 +39,8 @@ module SecureHeaders
39
39
  end
40
40
  end
41
41
 
42
- # Public: Transform a Clear-Site-Data config (an Array of Strings) into a
43
- # String that can be used as the value for the Clear-Site-Data header.
42
+ # Public: Transform a clear-site-data config (an Array of Strings) into a
43
+ # String that can be used as the value for the clear-site-data header.
44
44
  #
45
45
  # types - An Array of String of types of data to clear.
46
46
  #
@@ -26,8 +26,8 @@ module SecureHeaders
26
26
  end
27
27
 
28
28
  ##
29
- # Returns the name to use for the header. Either "Content-Security-Policy" or
30
- # "Content-Security-Policy-Report-Only"
29
+ # Returns the name to use for the header. Either "content-security-policy" or
30
+ # "content-security-policy-report-only"
31
31
  def name
32
32
  @config.class.const_get(:HEADER_NAME)
33
33
  end
@@ -78,7 +78,7 @@ module SecureHeaders
78
78
 
79
79
  class ContentSecurityPolicyConfigError < StandardError; end
80
80
  class ContentSecurityPolicyConfig
81
- HEADER_NAME = "Content-Security-Policy".freeze
81
+ HEADER_NAME = "content-security-policy".freeze
82
82
 
83
83
  ATTRS = Set.new(PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES)
84
84
  def self.attrs
@@ -107,7 +107,7 @@ module SecureHeaders
107
107
  end
108
108
 
109
109
  class ContentSecurityPolicyReportOnlyConfig < ContentSecurityPolicyConfig
110
- HEADER_NAME = "Content-Security-Policy-Report-Only".freeze
110
+ HEADER_NAME = "content-security-policy-report-only".freeze
111
111
 
112
112
  def report_only?
113
113
  true
@@ -3,14 +3,14 @@ module SecureHeaders
3
3
  class ExpectCertificateTransparencyConfigError < StandardError; end
4
4
 
5
5
  class ExpectCertificateTransparency
6
- HEADER_NAME = "Expect-CT".freeze
6
+ HEADER_NAME = "expect-ct".freeze
7
7
  INVALID_CONFIGURATION_ERROR = "config must be a hash.".freeze
8
8
  INVALID_ENFORCE_VALUE_ERROR = "enforce must be a boolean".freeze
9
9
  REQUIRED_MAX_AGE_ERROR = "max-age is a required directive.".freeze
10
10
  INVALID_MAX_AGE_ERROR = "max-age must be a number.".freeze
11
11
 
12
12
  class << self
13
- # Public: Generate a Expect-CT header.
13
+ # Public: Generate a expect-ct header.
14
14
  #
15
15
  # Returns nil if not configured, returns header name and value if
16
16
  # configured.
@@ -98,9 +98,9 @@ module SecureHeaders
98
98
 
99
99
  # Experimental directives - these vary greatly in support
100
100
  # See MDN for details.
101
- # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types
101
+ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/content-security-policy/trusted-types
102
102
  TRUSTED_TYPES = :trusted_types
103
- # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for
103
+ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/content-security-policy/require-trusted-types-for
104
104
  REQUIRE_TRUSTED_TYPES_FOR = :require_trusted_types_for
105
105
 
106
106
  DIRECTIVES_EXPERIMENTAL = [
@@ -2,7 +2,7 @@
2
2
  module SecureHeaders
3
3
  class ReferrerPolicyConfigError < StandardError; end
4
4
  class ReferrerPolicy
5
- HEADER_NAME = "Referrer-Policy".freeze
5
+ HEADER_NAME = "referrer-policy".freeze
6
6
  DEFAULT_VALUE = "origin-when-cross-origin"
7
7
  VALID_POLICIES = %w(
8
8
  no-referrer
@@ -3,7 +3,7 @@ module SecureHeaders
3
3
  class STSConfigError < StandardError; end
4
4
 
5
5
  class StrictTransportSecurity
6
- HEADER_NAME = "Strict-Transport-Security".freeze
6
+ HEADER_NAME = "strict-transport-security".freeze
7
7
  HSTS_MAX_AGE = "631138519"
8
8
  DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
9
9
  VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
@@ -3,7 +3,7 @@ module SecureHeaders
3
3
  class XContentTypeOptionsConfigError < StandardError; end
4
4
 
5
5
  class XContentTypeOptions
6
- HEADER_NAME = "X-Content-Type-Options".freeze
6
+ HEADER_NAME = "x-content-type-options".freeze
7
7
  DEFAULT_VALUE = "nosniff"
8
8
 
9
9
  class << self
@@ -2,11 +2,11 @@
2
2
  module SecureHeaders
3
3
  class XDOConfigError < StandardError; end
4
4
  class XDownloadOptions
5
- HEADER_NAME = "X-Download-Options".freeze
5
+ HEADER_NAME = "x-download-options".freeze
6
6
  DEFAULT_VALUE = "noopen"
7
7
 
8
8
  class << self
9
- # Public: generate an X-Download-Options header.
9
+ # Public: generate an x-download-options header.
10
10
  #
11
11
  # Returns a default header if no configuration is provided, or a
12
12
  # header name and value based on the config.
@@ -2,7 +2,7 @@
2
2
  module SecureHeaders
3
3
  class XFOConfigError < StandardError; end
4
4
  class XFrameOptions
5
- HEADER_NAME = "X-Frame-Options".freeze
5
+ HEADER_NAME = "x-frame-options".freeze
6
6
  SAMEORIGIN = "sameorigin"
7
7
  DENY = "deny"
8
8
  ALLOW_FROM = "allow-from"
@@ -2,12 +2,12 @@
2
2
  module SecureHeaders
3
3
  class XPCDPConfigError < StandardError; end
4
4
  class XPermittedCrossDomainPolicies
5
- HEADER_NAME = "X-Permitted-Cross-Domain-Policies".freeze
5
+ HEADER_NAME = "x-permitted-cross-domain-policies".freeze
6
6
  DEFAULT_VALUE = "none"
7
7
  VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
8
8
 
9
9
  class << self
10
- # Public: generate an X-Permitted-Cross-Domain-Policies header.
10
+ # Public: generate an x-permitted-cross-domain-policies header.
11
11
  #
12
12
  # Returns a default header if no configuration is provided, or a
13
13
  # header name and value based on the config.
@@ -2,8 +2,8 @@
2
2
  module SecureHeaders
3
3
  class XXssProtectionConfigError < StandardError; end
4
4
  class XXssProtection
5
- HEADER_NAME = "X-XSS-Protection".freeze
6
- DEFAULT_VALUE = "1; mode=block"
5
+ HEADER_NAME = "x-xss-protection".freeze
6
+ DEFAULT_VALUE = "0".freeze
7
7
  VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
8
8
 
9
9
  class << self
@@ -4,11 +4,11 @@ if defined?(Rails::Railtie)
4
4
  module SecureHeaders
5
5
  class Railtie < Rails::Railtie
6
6
  isolate_namespace SecureHeaders if defined? isolate_namespace # rails 3.0
7
- conflicting_headers = ["X-Frame-Options", "X-XSS-Protection",
8
- "X-Permitted-Cross-Domain-Policies", "X-Download-Options",
9
- "X-Content-Type-Options", "Strict-Transport-Security",
10
- "Content-Security-Policy", "Content-Security-Policy-Report-Only",
11
- "Public-Key-Pins", "Public-Key-Pins-Report-Only", "Referrer-Policy"]
7
+ conflicting_headers = ["x-frame-options", "x-xss-protection",
8
+ "x-permitted-cross-domain-policies", "x-download-options",
9
+ "x-content-type-options", "strict-transport-security",
10
+ "content-security-policy", "content-security-policy-report-only",
11
+ "public-key-pins", "public-key-pins-report-only", "referrer-policy"]
12
12
 
13
13
  initializer "secure_headers.middleware" do
14
14
  Rails.application.config.middleware.insert_before 0, SecureHeaders::Middleware
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SecureHeaders
4
- VERSION = "6.7.0"
4
+ VERSION = "7.1.0"
5
5
  end
@@ -13,11 +13,21 @@ Gem::Specification.new do |gem|
13
13
  gem.description = 'Add easily configured security headers to responses
14
14
  including content-security-policy, x-frame-options,
15
15
  strict-transport-security, etc.'
16
- gem.homepage = "https://github.com/twitter/secureheaders"
16
+ gem.homepage = "https://github.com/github/secure_headers"
17
+ gem.metadata = {
18
+ "bug_tracker_uri" => "https://github.com/github/secure_headers/issues",
19
+ "changelog_uri" => "https://github.com/github/secure_headers/blob/master/CHANGELOG.md",
20
+ "documentation_uri" => "https://rubydoc.info/gems/secure_headers",
21
+ "homepage_uri" => gem.homepage,
22
+ "source_code_uri" => "https://github.com/github/secure_headers",
23
+ "rubygems_mfa_required" => "true",
24
+ }
17
25
  gem.license = "MIT"
18
- gem.files = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
19
- gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
20
- gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
26
+
27
+ gem.files = Dir["bin/**/*", "lib/**/*", "README.md", "CHANGELOG.md", "LICENSE", "Gemfile", "secure_headers.gemspec"]
21
28
  gem.require_paths = ["lib"]
29
+
30
+ gem.extra_rdoc_files = Dir["README.md", "CHANGELOG.md", "LICENSE"]
31
+
22
32
  gem.add_development_dependency "rake"
23
33
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.7.0
4
+ version: 7.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-08-09 00:00:00.000000000 Z
11
+ date: 2024-12-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -32,35 +32,15 @@ email:
32
32
  - neil.matatall@gmail.com
33
33
  executables: []
34
34
  extensions: []
35
- extra_rdoc_files: []
35
+ extra_rdoc_files:
36
+ - README.md
37
+ - CHANGELOG.md
38
+ - LICENSE
36
39
  files:
37
- - ".github/ISSUE_TEMPLATE.md"
38
- - ".github/PULL_REQUEST_TEMPLATE.md"
39
- - ".github/dependabot.yml"
40
- - ".github/workflows/build.yml"
41
- - ".github/workflows/github-release.yml"
42
- - ".gitignore"
43
- - ".rspec"
44
- - ".rubocop.yml"
45
- - ".ruby-gemset"
46
- - ".ruby-version"
47
40
  - CHANGELOG.md
48
- - CODE_OF_CONDUCT.md
49
- - CONTRIBUTING.md
50
41
  - Gemfile
51
- - Guardfile
52
42
  - LICENSE
53
43
  - README.md
54
- - Rakefile
55
- - docs/cookies.md
56
- - docs/hashes.md
57
- - docs/named_overrides_and_appends.md
58
- - docs/per_action_configuration.md
59
- - docs/sinatra.md
60
- - docs/upgrading-to-3-0.md
61
- - docs/upgrading-to-4-0.md
62
- - docs/upgrading-to-5-0.md
63
- - docs/upgrading-to-6-0.md
64
44
  - lib/secure_headers.rb
65
45
  - lib/secure_headers/configuration.rb
66
46
  - lib/secure_headers/hash_helper.rb
@@ -84,27 +64,16 @@ files:
84
64
  - lib/secure_headers/view_helper.rb
85
65
  - lib/tasks/tasks.rake
86
66
  - secure_headers.gemspec
87
- - spec/lib/secure_headers/configuration_spec.rb
88
- - spec/lib/secure_headers/headers/clear_site_data_spec.rb
89
- - spec/lib/secure_headers/headers/content_security_policy_spec.rb
90
- - spec/lib/secure_headers/headers/cookie_spec.rb
91
- - spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
92
- - spec/lib/secure_headers/headers/policy_management_spec.rb
93
- - spec/lib/secure_headers/headers/referrer_policy_spec.rb
94
- - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
95
- - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
96
- - spec/lib/secure_headers/headers/x_download_options_spec.rb
97
- - spec/lib/secure_headers/headers/x_frame_options_spec.rb
98
- - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
99
- - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
100
- - spec/lib/secure_headers/middleware_spec.rb
101
- - spec/lib/secure_headers/view_helpers_spec.rb
102
- - spec/lib/secure_headers_spec.rb
103
- - spec/spec_helper.rb
104
- homepage: https://github.com/twitter/secureheaders
67
+ homepage: https://github.com/github/secure_headers
105
68
  licenses:
106
69
  - MIT
107
- metadata: {}
70
+ metadata:
71
+ bug_tracker_uri: https://github.com/github/secure_headers/issues
72
+ changelog_uri: https://github.com/github/secure_headers/blob/master/CHANGELOG.md
73
+ documentation_uri: https://rubydoc.info/gems/secure_headers
74
+ homepage_uri: https://github.com/github/secure_headers
75
+ source_code_uri: https://github.com/github/secure_headers
76
+ rubygems_mfa_required: 'true'
108
77
  post_install_message:
109
78
  rdoc_options: []
110
79
  require_paths:
@@ -124,21 +93,4 @@ rubygems_version: 3.0.3.1
124
93
  signing_key:
125
94
  specification_version: 4
126
95
  summary: Manages application of security headers with many safe defaults.
127
- test_files:
128
- - spec/lib/secure_headers/configuration_spec.rb
129
- - spec/lib/secure_headers/headers/clear_site_data_spec.rb
130
- - spec/lib/secure_headers/headers/content_security_policy_spec.rb
131
- - spec/lib/secure_headers/headers/cookie_spec.rb
132
- - spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
133
- - spec/lib/secure_headers/headers/policy_management_spec.rb
134
- - spec/lib/secure_headers/headers/referrer_policy_spec.rb
135
- - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
136
- - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
137
- - spec/lib/secure_headers/headers/x_download_options_spec.rb
138
- - spec/lib/secure_headers/headers/x_frame_options_spec.rb
139
- - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
140
- - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
141
- - spec/lib/secure_headers/middleware_spec.rb
142
- - spec/lib/secure_headers/view_helpers_spec.rb
143
- - spec/lib/secure_headers_spec.rb
144
- - spec/spec_helper.rb
96
+ test_files: []
@@ -1,41 +0,0 @@
1
- # Feature Requests
2
-
3
- ## Adding a new header
4
-
5
- Generally, adding a new header is always OK.
6
-
7
- * Is the header supported by any user agent? If so, which?
8
- * What does it do?
9
- * What are the valid values for the header?
10
- * Where does the specification live?
11
-
12
- ## Adding a new CSP directive
13
-
14
- * Is the directive supported by any user agent? If so, which?
15
- * What does it do?
16
- * What are the valid values for the directive?
17
-
18
- ---
19
-
20
- # Bugs
21
-
22
- Console errors and deprecation warnings are considered bugs that should be addressed with more precise UA sniffing. Bugs caused by incorrect or invalid UA sniffing are also bugs.
23
-
24
- ### Expected outcome
25
-
26
- Describe what you expected to happen
27
-
28
- 1. I configure CSP to do X
29
- 1. When I inspect the response headers, the CSP should have included X
30
-
31
- ### Actual outcome
32
-
33
- 1. The generated policy did not include X
34
-
35
- ### Config
36
-
37
- Please provide the configuration (`SecureHeaders::Configuration.default`) you are using including any overrides (`SecureHeaders::Configuration.override`).
38
-
39
- ### Generated headers
40
-
41
- Provide a sample response containing the headers
@@ -1,20 +0,0 @@
1
- ## All PRs:
2
-
3
- * [ ] Has tests
4
- * [ ] Documentation updated
5
-
6
- ## Adding a new header
7
-
8
- Generally, adding a new header is always OK.
9
-
10
- * Is the header supported by any user agent? If so, which?
11
- * What does it do?
12
- * What are the valid values for the header?
13
- * Where does the specification live?
14
-
15
- ## Adding a new CSP directive
16
-
17
- * Is the directive supported by any user agent? If so, which?
18
- * What does it do?
19
- * What are the valid values for the directive?
20
-
@@ -1,6 +0,0 @@
1
- version: 2
2
- updates:
3
- - package-ecosystem: "github-actions"
4
- directory: "/"
5
- schedule:
6
- interval: "weekly"
@@ -1,24 +0,0 @@
1
- name: Build + Test
2
- on: [pull_request, push]
3
-
4
- jobs:
5
- build:
6
- name: Build + Test
7
- runs-on: ubuntu-latest
8
- strategy:
9
- matrix:
10
- ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
11
-
12
- steps:
13
- - uses: actions/checkout@v3
14
- - name: Set up Ruby ${{ matrix.ruby }}
15
- uses: ruby/setup-ruby@v1
16
- with:
17
- ruby-version: ${{ matrix.ruby }}
18
- - name: Build and test with Rake
19
- run: |
20
- gem install bundler
21
- bundle install --jobs 4 --retry 3 --without guard
22
- bundle exec rspec spec
23
- bundle exec rubocop
24
-
@@ -1,28 +0,0 @@
1
- name: GitHub Release
2
-
3
- on:
4
- push:
5
- tags:
6
- - v*
7
-
8
- jobs:
9
- Publish:
10
- permissions:
11
- contents: write
12
- runs-on: ubuntu-latest
13
- if: startsWith(github.ref, 'refs/tags/v')
14
- steps:
15
- - name: Calculate release name
16
- run: |
17
- GITHUB_REF=${{ github.ref }}
18
- RELEASE_NAME=${GITHUB_REF#"refs/tags/"}
19
- echo "RELEASE_NAME=${RELEASE_NAME}" >> $GITHUB_ENV
20
- - name: Publish release
21
- uses: actions/create-release@v1
22
- env:
23
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
24
- with:
25
- tag_name: ${{ github.ref }}
26
- release_name: ${{ env.RELEASE_NAME }}
27
- draft: false
28
- prerelease: false
data/.gitignore DELETED
@@ -1,13 +0,0 @@
1
- *.gem
2
- *.DS_STORE
3
- *.rbc
4
- .bundle
5
- .config
6
- .yardoc
7
- *.log
8
- Gemfile.lock
9
- _yardoc
10
- coverage
11
- pkg
12
- rdoc
13
- spec/reports
data/.rspec DELETED
@@ -1,3 +0,0 @@
1
- --order rand
2
- --warnings
3
- --format progress
data/.rubocop.yml DELETED
@@ -1,4 +0,0 @@
1
- inherit_gem:
2
- rubocop-github:
3
- - config/default.yml
4
- require: rubocop-performance
data/.ruby-gemset DELETED
@@ -1 +0,0 @@
1
- secureheaders
data/.ruby-version DELETED
@@ -1 +0,0 @@
1
- 3.1.1
data/CODE_OF_CONDUCT.md DELETED
@@ -1,46 +0,0 @@
1
- # Contributor Covenant Code of Conduct
2
-
3
- ## Our Pledge
4
-
5
- In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
6
-
7
- ## Our Standards
8
-
9
- Examples of behavior that contributes to creating a positive environment include:
10
-
11
- * Using welcoming and inclusive language
12
- * Being respectful of differing viewpoints and experiences
13
- * Gracefully accepting constructive criticism
14
- * Focusing on what is best for the community
15
- * Showing empathy towards other community members
16
-
17
- Examples of unacceptable behavior by participants include:
18
-
19
- * The use of sexualized language or imagery and unwelcome sexual attention or advances
20
- * Trolling, insulting/derogatory comments, and personal or political attacks
21
- * Public or private harassment
22
- * Publishing others' private information, such as a physical or electronic address, without explicit permission
23
- * Other conduct which could reasonably be considered inappropriate in a professional setting
24
-
25
- ## Our Responsibilities
26
-
27
- Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
28
-
29
- Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
30
-
31
- ## Scope
32
-
33
- This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
34
-
35
- ## Enforcement
36
-
37
- Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at neil.matatall@gmail.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
38
-
39
- Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
40
-
41
- ## Attribution
42
-
43
- This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
44
-
45
- [homepage]: http://contributor-covenant.org
46
- [version]: http://contributor-covenant.org/version/1/4/