secure_headers 6.7.0 → 7.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +13 -13
- data/lib/secure_headers/configuration.rb +1 -1
- data/lib/secure_headers/headers/clear_site_data.rb +4 -4
- data/lib/secure_headers/headers/content_security_policy.rb +2 -2
- data/lib/secure_headers/headers/content_security_policy_config.rb +2 -2
- data/lib/secure_headers/headers/expect_certificate_transparency.rb +2 -2
- data/lib/secure_headers/headers/policy_management.rb +2 -2
- data/lib/secure_headers/headers/referrer_policy.rb +1 -1
- data/lib/secure_headers/headers/strict_transport_security.rb +1 -1
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -1
- data/lib/secure_headers/headers/x_download_options.rb +2 -2
- data/lib/secure_headers/headers/x_frame_options.rb +1 -1
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +2 -2
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -2
- data/lib/secure_headers/railtie.rb +5 -5
- data/lib/secure_headers/version.rb +1 -1
- data/secure_headers.gemspec +14 -4
- metadata +15 -63
- data/.github/ISSUE_TEMPLATE.md +0 -41
- data/.github/PULL_REQUEST_TEMPLATE.md +0 -20
- data/.github/dependabot.yml +0 -6
- data/.github/workflows/build.yml +0 -24
- data/.github/workflows/github-release.yml +0 -28
- data/.gitignore +0 -13
- data/.rspec +0 -3
- data/.rubocop.yml +0 -4
- data/.ruby-gemset +0 -1
- data/.ruby-version +0 -1
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -41
- data/Guardfile +0 -13
- data/Rakefile +0 -32
- data/docs/cookies.md +0 -65
- data/docs/hashes.md +0 -64
- data/docs/named_overrides_and_appends.md +0 -104
- data/docs/per_action_configuration.md +0 -139
- data/docs/sinatra.md +0 -25
- data/docs/upgrading-to-3-0.md +0 -42
- data/docs/upgrading-to-4-0.md +0 -35
- data/docs/upgrading-to-5-0.md +0 -15
- data/docs/upgrading-to-6-0.md +0 -50
- data/spec/lib/secure_headers/configuration_spec.rb +0 -121
- data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +0 -87
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +0 -215
- data/spec/lib/secure_headers/headers/cookie_spec.rb +0 -179
- data/spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb +0 -42
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +0 -265
- data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +0 -91
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +0 -33
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +0 -31
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +0 -29
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +0 -36
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +0 -48
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +0 -47
- data/spec/lib/secure_headers/middleware_spec.rb +0 -117
- data/spec/lib/secure_headers/view_helpers_spec.rb +0 -192
- data/spec/lib/secure_headers_spec.rb +0 -516
- data/spec/spec_helper.rb +0 -64
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 484062b599a7d8ca3ad93c0b91bd6f88b9f80eb7b3f5106fbb4b94b0ae7a82f9
|
4
|
+
data.tar.gz: 68c9dc56b62c0d0c77f166e08ae24e6f13dadcda1a9ebaff8b18e4dad0177fa9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 63969aa532b3aa321b2e848764e1ddcbbd9e36fc57bd0e2d98bb4f8ede7c94e32ec6d2aef3f81581d99c1bc623c108d159be635e8df238390304077360fa6f9f
|
7
|
+
data.tar.gz: fbc1a3a713680ac487ad16185176ebb5cbdce5416bdd9e765faf0757aa0c10a8ef71b825225bfaf40a66c16ce955edacb2deeedc910e14264bd5b8469be8805d
|
data/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# Secure Headers ![Build + Test](https://github.com/github/secure_headers/workflows/Build%20+%20Test/badge.svg?branch=main)
|
2
2
|
|
3
|
-
**main branch represents
|
3
|
+
**main branch represents 7.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), [upgrading to 6.x doc](docs/upgrading-to-6-0.md) or [upgrading to 7.x doc](docs/upgrading-to-7-0.md) for instructions on how to upgrade. Bug fixes should go in the `6.x` branch for now.
|
4
4
|
|
5
5
|
The gem will automatically apply several headers that are related to security. This includes:
|
6
6
|
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](https://www.w3.org/TR/CSP2/)
|
@@ -11,11 +11,11 @@ The gem will automatically apply several headers that are related to security.
|
|
11
11
|
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options Specification](https://tools.ietf.org/html/rfc7034)
|
12
12
|
- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](https://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
|
13
13
|
- X-Content-Type-Options - [Prevent content type sniffing](https://msdn.microsoft.com/library/gg622941\(v=vs.85\).aspx)
|
14
|
-
-
|
15
|
-
-
|
16
|
-
-
|
17
|
-
-
|
18
|
-
-
|
14
|
+
- x-download-options - [Prevent file downloads opening](https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx)
|
15
|
+
- x-permitted-cross-domain-policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
|
16
|
+
- referrer-policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
|
17
|
+
- expect-ct - Only use certificates that are present in the certificate transparency logs. [expect-ct draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
|
18
|
+
- clear-site-data - Clearing browser data for origin. [clear-site-data specification](https://w3c.github.io/webappsec-clear-site-data/).
|
19
19
|
|
20
20
|
It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using `config.cookies = SecureHeaders::OPT_OUT`.
|
21
21
|
|
@@ -99,13 +99,13 @@ end
|
|
99
99
|
All headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:
|
100
100
|
|
101
101
|
```
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
102
|
+
content-security-policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'
|
103
|
+
strict-transport-security: max-age=631138519
|
104
|
+
x-content-type-options: nosniff
|
105
|
+
x-download-options: noopen
|
106
|
+
x-frame-options: sameorigin
|
107
|
+
x-permitted-cross-domain-policies: none
|
108
|
+
x-xss-protection: 0
|
109
109
|
```
|
110
110
|
|
111
111
|
## API configurations
|
@@ -256,7 +256,7 @@ module SecureHeaders
|
|
256
256
|
end
|
257
257
|
end
|
258
258
|
|
259
|
-
# Configures the
|
259
|
+
# Configures the content-security-policy-report-only header. `new_csp` cannot
|
260
260
|
# contain `report_only: false` or an error will be raised.
|
261
261
|
#
|
262
262
|
# NOTE: if csp has not been configured/has the default value when
|
@@ -2,7 +2,7 @@
|
|
2
2
|
module SecureHeaders
|
3
3
|
class ClearSiteDataConfigError < StandardError; end
|
4
4
|
class ClearSiteData
|
5
|
-
HEADER_NAME = "
|
5
|
+
HEADER_NAME = "clear-site-data".freeze
|
6
6
|
|
7
7
|
# Valid `types`
|
8
8
|
CACHE = "cache".freeze
|
@@ -12,7 +12,7 @@ module SecureHeaders
|
|
12
12
|
ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
|
13
13
|
|
14
14
|
class << self
|
15
|
-
# Public: make an
|
15
|
+
# Public: make an clear-site-data header name, value pair
|
16
16
|
#
|
17
17
|
# Returns nil if not configured, returns header name and value if configured.
|
18
18
|
def make_header(config = nil, user_agent = nil)
|
@@ -39,8 +39,8 @@ module SecureHeaders
|
|
39
39
|
end
|
40
40
|
end
|
41
41
|
|
42
|
-
# Public: Transform a
|
43
|
-
# String that can be used as the value for the
|
42
|
+
# Public: Transform a clear-site-data config (an Array of Strings) into a
|
43
|
+
# String that can be used as the value for the clear-site-data header.
|
44
44
|
#
|
45
45
|
# types - An Array of String of types of data to clear.
|
46
46
|
#
|
@@ -26,8 +26,8 @@ module SecureHeaders
|
|
26
26
|
end
|
27
27
|
|
28
28
|
##
|
29
|
-
# Returns the name to use for the header. Either "
|
30
|
-
# "
|
29
|
+
# Returns the name to use for the header. Either "content-security-policy" or
|
30
|
+
# "content-security-policy-report-only"
|
31
31
|
def name
|
32
32
|
@config.class.const_get(:HEADER_NAME)
|
33
33
|
end
|
@@ -78,7 +78,7 @@ module SecureHeaders
|
|
78
78
|
|
79
79
|
class ContentSecurityPolicyConfigError < StandardError; end
|
80
80
|
class ContentSecurityPolicyConfig
|
81
|
-
HEADER_NAME = "
|
81
|
+
HEADER_NAME = "content-security-policy".freeze
|
82
82
|
|
83
83
|
ATTRS = Set.new(PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES)
|
84
84
|
def self.attrs
|
@@ -107,7 +107,7 @@ module SecureHeaders
|
|
107
107
|
end
|
108
108
|
|
109
109
|
class ContentSecurityPolicyReportOnlyConfig < ContentSecurityPolicyConfig
|
110
|
-
HEADER_NAME = "
|
110
|
+
HEADER_NAME = "content-security-policy-report-only".freeze
|
111
111
|
|
112
112
|
def report_only?
|
113
113
|
true
|
@@ -3,14 +3,14 @@ module SecureHeaders
|
|
3
3
|
class ExpectCertificateTransparencyConfigError < StandardError; end
|
4
4
|
|
5
5
|
class ExpectCertificateTransparency
|
6
|
-
HEADER_NAME = "
|
6
|
+
HEADER_NAME = "expect-ct".freeze
|
7
7
|
INVALID_CONFIGURATION_ERROR = "config must be a hash.".freeze
|
8
8
|
INVALID_ENFORCE_VALUE_ERROR = "enforce must be a boolean".freeze
|
9
9
|
REQUIRED_MAX_AGE_ERROR = "max-age is a required directive.".freeze
|
10
10
|
INVALID_MAX_AGE_ERROR = "max-age must be a number.".freeze
|
11
11
|
|
12
12
|
class << self
|
13
|
-
# Public: Generate a
|
13
|
+
# Public: Generate a expect-ct header.
|
14
14
|
#
|
15
15
|
# Returns nil if not configured, returns header name and value if
|
16
16
|
# configured.
|
@@ -98,9 +98,9 @@ module SecureHeaders
|
|
98
98
|
|
99
99
|
# Experimental directives - these vary greatly in support
|
100
100
|
# See MDN for details.
|
101
|
-
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
|
101
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/content-security-policy/trusted-types
|
102
102
|
TRUSTED_TYPES = :trusted_types
|
103
|
-
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
|
103
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/content-security-policy/require-trusted-types-for
|
104
104
|
REQUIRE_TRUSTED_TYPES_FOR = :require_trusted_types_for
|
105
105
|
|
106
106
|
DIRECTIVES_EXPERIMENTAL = [
|
@@ -3,7 +3,7 @@ module SecureHeaders
|
|
3
3
|
class STSConfigError < StandardError; end
|
4
4
|
|
5
5
|
class StrictTransportSecurity
|
6
|
-
HEADER_NAME = "
|
6
|
+
HEADER_NAME = "strict-transport-security".freeze
|
7
7
|
HSTS_MAX_AGE = "631138519"
|
8
8
|
DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
|
9
9
|
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
|
@@ -2,11 +2,11 @@
|
|
2
2
|
module SecureHeaders
|
3
3
|
class XDOConfigError < StandardError; end
|
4
4
|
class XDownloadOptions
|
5
|
-
HEADER_NAME = "
|
5
|
+
HEADER_NAME = "x-download-options".freeze
|
6
6
|
DEFAULT_VALUE = "noopen"
|
7
7
|
|
8
8
|
class << self
|
9
|
-
# Public: generate an
|
9
|
+
# Public: generate an x-download-options header.
|
10
10
|
#
|
11
11
|
# Returns a default header if no configuration is provided, or a
|
12
12
|
# header name and value based on the config.
|
@@ -2,12 +2,12 @@
|
|
2
2
|
module SecureHeaders
|
3
3
|
class XPCDPConfigError < StandardError; end
|
4
4
|
class XPermittedCrossDomainPolicies
|
5
|
-
HEADER_NAME = "
|
5
|
+
HEADER_NAME = "x-permitted-cross-domain-policies".freeze
|
6
6
|
DEFAULT_VALUE = "none"
|
7
7
|
VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
|
8
8
|
|
9
9
|
class << self
|
10
|
-
# Public: generate an
|
10
|
+
# Public: generate an x-permitted-cross-domain-policies header.
|
11
11
|
#
|
12
12
|
# Returns a default header if no configuration is provided, or a
|
13
13
|
# header name and value based on the config.
|
@@ -2,8 +2,8 @@
|
|
2
2
|
module SecureHeaders
|
3
3
|
class XXssProtectionConfigError < StandardError; end
|
4
4
|
class XXssProtection
|
5
|
-
HEADER_NAME = "
|
6
|
-
DEFAULT_VALUE = "
|
5
|
+
HEADER_NAME = "x-xss-protection".freeze
|
6
|
+
DEFAULT_VALUE = "0".freeze
|
7
7
|
VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
|
8
8
|
|
9
9
|
class << self
|
@@ -4,11 +4,11 @@ if defined?(Rails::Railtie)
|
|
4
4
|
module SecureHeaders
|
5
5
|
class Railtie < Rails::Railtie
|
6
6
|
isolate_namespace SecureHeaders if defined? isolate_namespace # rails 3.0
|
7
|
-
conflicting_headers = ["
|
8
|
-
"
|
9
|
-
"
|
10
|
-
"
|
11
|
-
"
|
7
|
+
conflicting_headers = ["x-frame-options", "x-xss-protection",
|
8
|
+
"x-permitted-cross-domain-policies", "x-download-options",
|
9
|
+
"x-content-type-options", "strict-transport-security",
|
10
|
+
"content-security-policy", "content-security-policy-report-only",
|
11
|
+
"public-key-pins", "public-key-pins-report-only", "referrer-policy"]
|
12
12
|
|
13
13
|
initializer "secure_headers.middleware" do
|
14
14
|
Rails.application.config.middleware.insert_before 0, SecureHeaders::Middleware
|
data/secure_headers.gemspec
CHANGED
@@ -13,11 +13,21 @@ Gem::Specification.new do |gem|
|
|
13
13
|
gem.description = 'Add easily configured security headers to responses
|
14
14
|
including content-security-policy, x-frame-options,
|
15
15
|
strict-transport-security, etc.'
|
16
|
-
gem.homepage = "https://github.com/
|
16
|
+
gem.homepage = "https://github.com/github/secure_headers"
|
17
|
+
gem.metadata = {
|
18
|
+
"bug_tracker_uri" => "https://github.com/github/secure_headers/issues",
|
19
|
+
"changelog_uri" => "https://github.com/github/secure_headers/blob/master/CHANGELOG.md",
|
20
|
+
"documentation_uri" => "https://rubydoc.info/gems/secure_headers",
|
21
|
+
"homepage_uri" => gem.homepage,
|
22
|
+
"source_code_uri" => "https://github.com/github/secure_headers",
|
23
|
+
"rubygems_mfa_required" => "true",
|
24
|
+
}
|
17
25
|
gem.license = "MIT"
|
18
|
-
|
19
|
-
gem.
|
20
|
-
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
26
|
+
|
27
|
+
gem.files = Dir["bin/**/*", "lib/**/*", "README.md", "CHANGELOG.md", "LICENSE", "Gemfile", "secure_headers.gemspec"]
|
21
28
|
gem.require_paths = ["lib"]
|
29
|
+
|
30
|
+
gem.extra_rdoc_files = Dir["README.md", "CHANGELOG.md", "LICENSE"]
|
31
|
+
|
22
32
|
gem.add_development_dependency "rake"
|
23
33
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 7.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-12-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -32,35 +32,15 @@ email:
|
|
32
32
|
- neil.matatall@gmail.com
|
33
33
|
executables: []
|
34
34
|
extensions: []
|
35
|
-
extra_rdoc_files:
|
35
|
+
extra_rdoc_files:
|
36
|
+
- README.md
|
37
|
+
- CHANGELOG.md
|
38
|
+
- LICENSE
|
36
39
|
files:
|
37
|
-
- ".github/ISSUE_TEMPLATE.md"
|
38
|
-
- ".github/PULL_REQUEST_TEMPLATE.md"
|
39
|
-
- ".github/dependabot.yml"
|
40
|
-
- ".github/workflows/build.yml"
|
41
|
-
- ".github/workflows/github-release.yml"
|
42
|
-
- ".gitignore"
|
43
|
-
- ".rspec"
|
44
|
-
- ".rubocop.yml"
|
45
|
-
- ".ruby-gemset"
|
46
|
-
- ".ruby-version"
|
47
40
|
- CHANGELOG.md
|
48
|
-
- CODE_OF_CONDUCT.md
|
49
|
-
- CONTRIBUTING.md
|
50
41
|
- Gemfile
|
51
|
-
- Guardfile
|
52
42
|
- LICENSE
|
53
43
|
- README.md
|
54
|
-
- Rakefile
|
55
|
-
- docs/cookies.md
|
56
|
-
- docs/hashes.md
|
57
|
-
- docs/named_overrides_and_appends.md
|
58
|
-
- docs/per_action_configuration.md
|
59
|
-
- docs/sinatra.md
|
60
|
-
- docs/upgrading-to-3-0.md
|
61
|
-
- docs/upgrading-to-4-0.md
|
62
|
-
- docs/upgrading-to-5-0.md
|
63
|
-
- docs/upgrading-to-6-0.md
|
64
44
|
- lib/secure_headers.rb
|
65
45
|
- lib/secure_headers/configuration.rb
|
66
46
|
- lib/secure_headers/hash_helper.rb
|
@@ -84,27 +64,16 @@ files:
|
|
84
64
|
- lib/secure_headers/view_helper.rb
|
85
65
|
- lib/tasks/tasks.rake
|
86
66
|
- secure_headers.gemspec
|
87
|
-
|
88
|
-
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
89
|
-
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
90
|
-
- spec/lib/secure_headers/headers/cookie_spec.rb
|
91
|
-
- spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
|
92
|
-
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
93
|
-
- spec/lib/secure_headers/headers/referrer_policy_spec.rb
|
94
|
-
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
95
|
-
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
96
|
-
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
97
|
-
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
98
|
-
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
99
|
-
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
100
|
-
- spec/lib/secure_headers/middleware_spec.rb
|
101
|
-
- spec/lib/secure_headers/view_helpers_spec.rb
|
102
|
-
- spec/lib/secure_headers_spec.rb
|
103
|
-
- spec/spec_helper.rb
|
104
|
-
homepage: https://github.com/twitter/secureheaders
|
67
|
+
homepage: https://github.com/github/secure_headers
|
105
68
|
licenses:
|
106
69
|
- MIT
|
107
|
-
metadata:
|
70
|
+
metadata:
|
71
|
+
bug_tracker_uri: https://github.com/github/secure_headers/issues
|
72
|
+
changelog_uri: https://github.com/github/secure_headers/blob/master/CHANGELOG.md
|
73
|
+
documentation_uri: https://rubydoc.info/gems/secure_headers
|
74
|
+
homepage_uri: https://github.com/github/secure_headers
|
75
|
+
source_code_uri: https://github.com/github/secure_headers
|
76
|
+
rubygems_mfa_required: 'true'
|
108
77
|
post_install_message:
|
109
78
|
rdoc_options: []
|
110
79
|
require_paths:
|
@@ -124,21 +93,4 @@ rubygems_version: 3.0.3.1
|
|
124
93
|
signing_key:
|
125
94
|
specification_version: 4
|
126
95
|
summary: Manages application of security headers with many safe defaults.
|
127
|
-
test_files:
|
128
|
-
- spec/lib/secure_headers/configuration_spec.rb
|
129
|
-
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
130
|
-
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
131
|
-
- spec/lib/secure_headers/headers/cookie_spec.rb
|
132
|
-
- spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
|
133
|
-
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
134
|
-
- spec/lib/secure_headers/headers/referrer_policy_spec.rb
|
135
|
-
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
136
|
-
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
137
|
-
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
138
|
-
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
139
|
-
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
140
|
-
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
141
|
-
- spec/lib/secure_headers/middleware_spec.rb
|
142
|
-
- spec/lib/secure_headers/view_helpers_spec.rb
|
143
|
-
- spec/lib/secure_headers_spec.rb
|
144
|
-
- spec/spec_helper.rb
|
96
|
+
test_files: []
|
data/.github/ISSUE_TEMPLATE.md
DELETED
@@ -1,41 +0,0 @@
|
|
1
|
-
# Feature Requests
|
2
|
-
|
3
|
-
## Adding a new header
|
4
|
-
|
5
|
-
Generally, adding a new header is always OK.
|
6
|
-
|
7
|
-
* Is the header supported by any user agent? If so, which?
|
8
|
-
* What does it do?
|
9
|
-
* What are the valid values for the header?
|
10
|
-
* Where does the specification live?
|
11
|
-
|
12
|
-
## Adding a new CSP directive
|
13
|
-
|
14
|
-
* Is the directive supported by any user agent? If so, which?
|
15
|
-
* What does it do?
|
16
|
-
* What are the valid values for the directive?
|
17
|
-
|
18
|
-
---
|
19
|
-
|
20
|
-
# Bugs
|
21
|
-
|
22
|
-
Console errors and deprecation warnings are considered bugs that should be addressed with more precise UA sniffing. Bugs caused by incorrect or invalid UA sniffing are also bugs.
|
23
|
-
|
24
|
-
### Expected outcome
|
25
|
-
|
26
|
-
Describe what you expected to happen
|
27
|
-
|
28
|
-
1. I configure CSP to do X
|
29
|
-
1. When I inspect the response headers, the CSP should have included X
|
30
|
-
|
31
|
-
### Actual outcome
|
32
|
-
|
33
|
-
1. The generated policy did not include X
|
34
|
-
|
35
|
-
### Config
|
36
|
-
|
37
|
-
Please provide the configuration (`SecureHeaders::Configuration.default`) you are using including any overrides (`SecureHeaders::Configuration.override`).
|
38
|
-
|
39
|
-
### Generated headers
|
40
|
-
|
41
|
-
Provide a sample response containing the headers
|
@@ -1,20 +0,0 @@
|
|
1
|
-
## All PRs:
|
2
|
-
|
3
|
-
* [ ] Has tests
|
4
|
-
* [ ] Documentation updated
|
5
|
-
|
6
|
-
## Adding a new header
|
7
|
-
|
8
|
-
Generally, adding a new header is always OK.
|
9
|
-
|
10
|
-
* Is the header supported by any user agent? If so, which?
|
11
|
-
* What does it do?
|
12
|
-
* What are the valid values for the header?
|
13
|
-
* Where does the specification live?
|
14
|
-
|
15
|
-
## Adding a new CSP directive
|
16
|
-
|
17
|
-
* Is the directive supported by any user agent? If so, which?
|
18
|
-
* What does it do?
|
19
|
-
* What are the valid values for the directive?
|
20
|
-
|
data/.github/dependabot.yml
DELETED
data/.github/workflows/build.yml
DELETED
@@ -1,24 +0,0 @@
|
|
1
|
-
name: Build + Test
|
2
|
-
on: [pull_request, push]
|
3
|
-
|
4
|
-
jobs:
|
5
|
-
build:
|
6
|
-
name: Build + Test
|
7
|
-
runs-on: ubuntu-latest
|
8
|
-
strategy:
|
9
|
-
matrix:
|
10
|
-
ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
|
11
|
-
|
12
|
-
steps:
|
13
|
-
- uses: actions/checkout@v3
|
14
|
-
- name: Set up Ruby ${{ matrix.ruby }}
|
15
|
-
uses: ruby/setup-ruby@v1
|
16
|
-
with:
|
17
|
-
ruby-version: ${{ matrix.ruby }}
|
18
|
-
- name: Build and test with Rake
|
19
|
-
run: |
|
20
|
-
gem install bundler
|
21
|
-
bundle install --jobs 4 --retry 3 --without guard
|
22
|
-
bundle exec rspec spec
|
23
|
-
bundle exec rubocop
|
24
|
-
|
@@ -1,28 +0,0 @@
|
|
1
|
-
name: GitHub Release
|
2
|
-
|
3
|
-
on:
|
4
|
-
push:
|
5
|
-
tags:
|
6
|
-
- v*
|
7
|
-
|
8
|
-
jobs:
|
9
|
-
Publish:
|
10
|
-
permissions:
|
11
|
-
contents: write
|
12
|
-
runs-on: ubuntu-latest
|
13
|
-
if: startsWith(github.ref, 'refs/tags/v')
|
14
|
-
steps:
|
15
|
-
- name: Calculate release name
|
16
|
-
run: |
|
17
|
-
GITHUB_REF=${{ github.ref }}
|
18
|
-
RELEASE_NAME=${GITHUB_REF#"refs/tags/"}
|
19
|
-
echo "RELEASE_NAME=${RELEASE_NAME}" >> $GITHUB_ENV
|
20
|
-
- name: Publish release
|
21
|
-
uses: actions/create-release@v1
|
22
|
-
env:
|
23
|
-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
24
|
-
with:
|
25
|
-
tag_name: ${{ github.ref }}
|
26
|
-
release_name: ${{ env.RELEASE_NAME }}
|
27
|
-
draft: false
|
28
|
-
prerelease: false
|
data/.gitignore
DELETED
data/.rspec
DELETED
data/.rubocop.yml
DELETED
data/.ruby-gemset
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
secureheaders
|
data/.ruby-version
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
3.1.1
|
data/CODE_OF_CONDUCT.md
DELETED
@@ -1,46 +0,0 @@
|
|
1
|
-
# Contributor Covenant Code of Conduct
|
2
|
-
|
3
|
-
## Our Pledge
|
4
|
-
|
5
|
-
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
|
6
|
-
|
7
|
-
## Our Standards
|
8
|
-
|
9
|
-
Examples of behavior that contributes to creating a positive environment include:
|
10
|
-
|
11
|
-
* Using welcoming and inclusive language
|
12
|
-
* Being respectful of differing viewpoints and experiences
|
13
|
-
* Gracefully accepting constructive criticism
|
14
|
-
* Focusing on what is best for the community
|
15
|
-
* Showing empathy towards other community members
|
16
|
-
|
17
|
-
Examples of unacceptable behavior by participants include:
|
18
|
-
|
19
|
-
* The use of sexualized language or imagery and unwelcome sexual attention or advances
|
20
|
-
* Trolling, insulting/derogatory comments, and personal or political attacks
|
21
|
-
* Public or private harassment
|
22
|
-
* Publishing others' private information, such as a physical or electronic address, without explicit permission
|
23
|
-
* Other conduct which could reasonably be considered inappropriate in a professional setting
|
24
|
-
|
25
|
-
## Our Responsibilities
|
26
|
-
|
27
|
-
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
|
28
|
-
|
29
|
-
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
|
30
|
-
|
31
|
-
## Scope
|
32
|
-
|
33
|
-
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
|
34
|
-
|
35
|
-
## Enforcement
|
36
|
-
|
37
|
-
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at neil.matatall@gmail.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
|
38
|
-
|
39
|
-
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
|
40
|
-
|
41
|
-
## Attribution
|
42
|
-
|
43
|
-
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
|
44
|
-
|
45
|
-
[homepage]: http://contributor-covenant.org
|
46
|
-
[version]: http://contributor-covenant.org/version/1/4/
|