secure_headers 7.0.0 → 7.2.0

data/lib/secure_headers/headers/referrer_policy.rb

@@ -2,7 +2,7 @@
 module SecureHeaders
   class ReferrerPolicyConfigError < StandardError; end
   class ReferrerPolicy
-    HEADER_NAME = "Referrer-Policy".freeze
+    HEADER_NAME = "referrer-policy".freeze
     DEFAULT_VALUE = "origin-when-cross-origin"
     VALID_POLICIES = %w(
       no-referrer
@@ -15,29 +15,27 @@ module SecureHeaders
       unsafe-url
     )
 
-    class << self
-      # Public: generate an Referrer Policy header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        config ||= DEFAULT_VALUE
-        [HEADER_NAME, Array(config).join(", ")]
-      end
+    # Public: generate an Referrer Policy header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      config ||= DEFAULT_VALUE
+      [HEADER_NAME, Array(config).join(", ")]
+    end
 
-      def validate_config!(config)
-        case config
-        when nil, OPT_OUT
-          # valid
-        when String, Array
-          config = Array(config)
-          unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
-            raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
-          end
-        else
-          raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
+    def self.validate_config!(config)
+      case config
+      when nil, OPT_OUT
+        # valid
+      when String, Array
+        config = Array(config)
+        unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
+          raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
         end
+      else
+        raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
       end
     end
   end

data/lib/secure_headers/headers/reporting_endpoints.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+module SecureHeaders
+  class ReportingEndpointsConfigError < StandardError; end
+  class ReportingEndpoints
+    HEADER_NAME = "reporting-endpoints".freeze
+
+    class << self
+      # Public: generate a Reporting-Endpoints header.
+      #
+      # The config should be a Hash of endpoint names to URLs.
+      # Example: { "csp-endpoint" => "https://example.com/reports" }
+      #
+      # Returns nil if config is OPT_OUT or nil, or a header name and
+      # formatted header value based on the config.
+      def make_header(config = nil)
+        return if config.nil? || config == OPT_OUT
+        validate_config!(config)
+        [HEADER_NAME, format_endpoints(config)]
+      end
+
+      def validate_config!(config)
+        case config
+        when nil, OPT_OUT
+          # valid
+        when Hash
+          config.each_pair do |name, url|
+            if name.is_a?(Symbol)
+              name = name.to_s
+            end
+            unless name.is_a?(String) && !name.empty?
+              raise ReportingEndpointsConfigError.new("Endpoint name must be a non-empty string, got: #{name.inspect}")
+            end
+            unless url.is_a?(String) && !url.empty?
+              raise ReportingEndpointsConfigError.new("Endpoint URL must be a non-empty string, got: #{url.inspect}")
+            end
+            unless url.start_with?("https://")
+              raise ReportingEndpointsConfigError.new("Endpoint URLs must use https, got: #{url.inspect}")
+            end
+          end
+        else
+          raise TypeError.new("Must be a Hash of endpoint names to URLs. Found #{config.class}: #{config}")
+        end
+      end
+
+      private
+
+      def format_endpoints(config)
+        config.map do |name, url|
+          %{#{name}="#{url}"}
+        end.join(", ")
+      end
+    end
+  end
+end

data/lib/secure_headers/headers/strict_transport_security.rb

@@ -3,27 +3,25 @@ module SecureHeaders
   class STSConfigError < StandardError; end
 
   class StrictTransportSecurity
-    HEADER_NAME = "Strict-Transport-Security".freeze
+    HEADER_NAME = "strict-transport-security".freeze
     HSTS_MAX_AGE = "631138519"
     DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
     VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
     MESSAGE = "The config value supplied for the HSTS header was invalid. Must match #{VALID_STS_HEADER}"
 
-    class << self
-      # Public: generate an hsts header name, value pair.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an hsts header name, value pair.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config} #{config.class}") unless config.is_a?(String)
-        raise STSConfigError.new(MESSAGE) unless config =~ VALID_STS_HEADER
-      end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config} #{config.class}") unless config.is_a?(String)
+      raise STSConfigError.new(MESSAGE) unless config =~ VALID_STS_HEADER
     end
   end
 end

data/lib/secure_headers/headers/x_content_type_options.rb

@@ -3,25 +3,23 @@ module SecureHeaders
   class XContentTypeOptionsConfigError < StandardError; end
 
   class XContentTypeOptions
-    HEADER_NAME = "X-Content-Type-Options".freeze
+    HEADER_NAME = "x-content-type-options".freeze
     DEFAULT_VALUE = "nosniff"
 
-    class << self
-      # Public: generate an X-Content-Type-Options header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an X-Content-Type-Options header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless config.casecmp(DEFAULT_VALUE) == 0
-          raise XContentTypeOptionsConfigError.new("Value can only be nil or 'nosniff'")
-        end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      unless config.casecmp(DEFAULT_VALUE) == 0
+        raise XContentTypeOptionsConfigError.new("Value can only be nil or 'nosniff'")
       end
     end
   end

data/lib/secure_headers/headers/x_download_options.rb

@@ -2,25 +2,23 @@
 module SecureHeaders
   class XDOConfigError < StandardError; end
   class XDownloadOptions
-    HEADER_NAME = "X-Download-Options".freeze
+    HEADER_NAME = "x-download-options".freeze
     DEFAULT_VALUE = "noopen"
 
-    class << self
-      # Public: generate an X-Download-Options header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an x-download-options header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless config.casecmp(DEFAULT_VALUE) == 0
-          raise XDOConfigError.new("Value can only be nil or 'noopen'")
-        end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      unless config.casecmp(DEFAULT_VALUE) == 0
+        raise XDOConfigError.new("Value can only be nil or 'noopen'")
       end
     end
   end

data/lib/secure_headers/headers/x_frame_options.rb

@@ -2,7 +2,7 @@
 module SecureHeaders
   class XFOConfigError < StandardError; end
   class XFrameOptions
-    HEADER_NAME = "X-Frame-Options".freeze
+    HEADER_NAME = "x-frame-options".freeze
     SAMEORIGIN = "sameorigin"
     DENY = "deny"
     ALLOW_FROM = "allow-from"
@@ -10,22 +10,20 @@ module SecureHeaders
     DEFAULT_VALUE = SAMEORIGIN
     VALID_XFO_HEADER = /\A(#{SAMEORIGIN}\z|#{DENY}\z|#{ALLOW_ALL}\z|#{ALLOW_FROM}[:\s])/i
 
-    class << self
-      # Public: generate an X-Frame-Options header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an X-Frame-Options header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless config =~ VALID_XFO_HEADER
-          raise XFOConfigError.new("Value must be SAMEORIGIN|DENY|ALLOW-FROM:|ALLOWALL")
-        end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      unless config =~ VALID_XFO_HEADER
+        raise XFOConfigError.new("Value must be SAMEORIGIN|DENY|ALLOW-FROM:|ALLOWALL")
       end
     end
   end

data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb

@@ -2,26 +2,24 @@
 module SecureHeaders
   class XPCDPConfigError < StandardError; end
   class XPermittedCrossDomainPolicies
-    HEADER_NAME = "X-Permitted-Cross-Domain-Policies".freeze
+    HEADER_NAME = "x-permitted-cross-domain-policies".freeze
     DEFAULT_VALUE = "none"
     VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
 
-    class << self
-      # Public: generate an X-Permitted-Cross-Domain-Policies header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an x-permitted-cross-domain-policies header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless VALID_POLICIES.include?(config.downcase)
-          raise XPCDPConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
-        end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      unless VALID_POLICIES.include?(config.downcase)
+        raise XPCDPConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
       end
     end
   end

data/lib/secure_headers/headers/x_xss_protection.rb

@@ -2,25 +2,23 @@
 module SecureHeaders
   class XXssProtectionConfigError < StandardError; end
   class XXssProtection
-    HEADER_NAME = "X-XSS-Protection".freeze
+    HEADER_NAME = "x-xss-protection".freeze
     DEFAULT_VALUE = "0".freeze
     VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
 
-    class << self
-      # Public: generate an X-Xss-Protection header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an X-Xss-Protection header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        raise XXssProtectionConfigError.new("Invalid format (see VALID_X_XSS_HEADER)") unless config.to_s =~ VALID_X_XSS_HEADER
-      end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      raise XXssProtectionConfigError.new("Invalid format (see VALID_X_XSS_HEADER)") unless config.to_s =~ VALID_X_XSS_HEADER
     end
   end
 end

data/lib/secure_headers/middleware.rb

@@ -10,6 +10,12 @@ module SecureHeaders
       req = Rack::Request.new(env)
       status, headers, response = @app.call(env)
 
+      # Rack::Headers is available in Rack 3.x and later
+      # So we should pull the headers into that structure if possible
+      if defined?(Rack::Headers)
+        headers = Rack::Headers[headers]
+      end
+
       config = SecureHeaders.config_for(req)
       flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
       headers.merge!(SecureHeaders.header_hash_for(req))
@@ -20,14 +26,12 @@ module SecureHeaders
 
     # inspired by https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194
     def flag_cookies!(headers, config)
-      if cookies = headers["Set-Cookie"]
-        # Support Rails 2.3 / Rack 1.1 arrays as headers
-        cookies = cookies.split("\n") unless cookies.is_a?(Array)
+      cookies = headers["Set-Cookie"]
+      return unless cookies
 
-        headers["Set-Cookie"] = cookies.map do |cookie|
-          SecureHeaders::Cookie.new(cookie, config).to_s
-        end.join("\n")
-      end
+      cookies_array = cookies.is_a?(Array) ? cookies : cookies.split("\n")
+      secured_cookies = cookies_array.map { |cookie| SecureHeaders::Cookie.new(cookie, config).to_s }
+      headers["Set-Cookie"] = cookies.is_a?(Array) ? secured_cookies : secured_cookies.join("\n")
     end
 
     # disable Secure cookies for non-https requests

data/lib/secure_headers/railtie.rb

@@ -4,11 +4,11 @@ if defined?(Rails::Railtie)
   module SecureHeaders
     class Railtie < Rails::Railtie
       isolate_namespace SecureHeaders if defined? isolate_namespace # rails 3.0
-      conflicting_headers = ["X-Frame-Options", "X-XSS-Protection",
-                             "X-Permitted-Cross-Domain-Policies", "X-Download-Options",
-                             "X-Content-Type-Options", "Strict-Transport-Security",
-                             "Content-Security-Policy", "Content-Security-Policy-Report-Only",
-                             "Public-Key-Pins", "Public-Key-Pins-Report-Only", "Referrer-Policy"]
+      conflicting_headers = ["x-frame-options", "x-xss-protection",
+                             "x-permitted-cross-domain-policies", "x-download-options",
+                             "x-content-type-options", "strict-transport-security",
+                             "content-security-policy", "content-security-policy-report-only",
+                             "public-key-pins", "public-key-pins-report-only", "referrer-policy"]
 
       initializer "secure_headers.middleware" do
         Rails.application.config.middleware.insert_before 0, SecureHeaders::Middleware
@@ -22,9 +22,12 @@ if defined?(Rails::Railtie)
         ActiveSupport.on_load(:action_controller) do
           include SecureHeaders
 
-          unless Rails.application.config.action_dispatch.default_headers.nil?
-            conflicting_headers.each do |header|
-              Rails.application.config.action_dispatch.default_headers.delete(header)
+          default_headers = Rails.application.config.action_dispatch.default_headers
+          unless default_headers.nil?
+            default_headers.each_key do |header|
+              if conflicting_headers.include?(header.downcase)
+                default_headers.delete(header)
+              end
             end
           end
         end

data/lib/secure_headers/task_helper.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module SecureHeaders
+  module TaskHelper
+    include SecureHeaders::HashHelper
+
+    INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx
+    INLINE_STYLE_REGEX = /(<style[^>]*>)(.*?)<\/style>/mx
+    INLINE_HASH_SCRIPT_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
+    INLINE_HASH_STYLE_HELPER_REGEX = /<%=\s?hashed_style_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
+
+    def generate_inline_script_hashes(filename)
+      hashes = []
+
+      hashes.concat find_inline_content(filename, INLINE_SCRIPT_REGEX, false)
+      hashes.concat find_inline_content(filename, INLINE_HASH_SCRIPT_HELPER_REGEX, true)
+
+      hashes
+    end
+
+    def generate_inline_style_hashes(filename)
+      hashes = []
+
+      hashes.concat find_inline_content(filename, INLINE_STYLE_REGEX, false)
+      hashes.concat find_inline_content(filename, INLINE_HASH_STYLE_HELPER_REGEX, true)
+
+      hashes
+    end
+
+    def dynamic_content?(filename, inline_script)
+      !!(
+        (is_mustache?(filename) && inline_script =~ /\{\{.*\}\}/) ||
+        (is_erb?(filename) && inline_script =~ /<%.*%>/)
+        )
+    end
+
+    private
+
+    def find_inline_content(filename, regex, strip_trailing_whitespace)
+      hashes = []
+      file = File.read(filename)
+      file.scan(regex) do # TODO don't use gsub
+        inline_script = Regexp.last_match.captures.last
+        inline_script.gsub!(/(\r?\n)[\t ]+\z/, '\1') if strip_trailing_whitespace
+        if dynamic_content?(filename, inline_script)
+          puts "Looks like there's some dynamic content inside of a tag :-/"
+          puts "That pretty much means the hash value will never match."
+          puts "Code: " + inline_script
+          puts "=" * 20
+        end
+
+        hashes << hash_source(inline_script)
+      end
+      hashes
+    end
+
+    def is_erb?(filename)
+      filename =~ /\.erb\Z/
+    end
+
+    def is_mustache?(filename)
+      filename =~ /\.mustache\Z/
+    end
+  end
+end

data/lib/secure_headers/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SecureHeaders
-  VERSION = "7.0.0"
+  VERSION = "7.2.0"
 end

data/lib/secure_headers.rb

@@ -11,6 +11,7 @@ require "secure_headers/headers/x_permitted_cross_domain_policies"
 require "secure_headers/headers/referrer_policy"
 require "secure_headers/headers/clear_site_data"
 require "secure_headers/headers/expect_certificate_transparency"
+require "secure_headers/headers/reporting_endpoints"
 require "secure_headers/middleware"
 require "secure_headers/railtie"
 require "secure_headers/view_helper"
@@ -133,6 +134,7 @@ module SecureHeaders
     # request.
     #
     # StrictTransportSecurity is not applied to http requests.
+    # upgrade_insecure_requests is not applied to http requests.
     # See #config_for to determine which config is used for a given request.
     #
     # Returns a hash of header names => header values. The value
@@ -146,6 +148,11 @@ module SecureHeaders
 
       if request.scheme != HTTPS
         headers.delete(StrictTransportSecurity::HEADER_NAME)
+
+        # Remove upgrade_insecure_requests from CSP headers for HTTP requests
+        # as it doesn't make sense to upgrade requests when the page itself is served over HTTP
+        remove_upgrade_insecure_requests_from_csp!(headers, config.csp)
+        remove_upgrade_insecure_requests_from_csp!(headers, config.csp_report_only)
       end
       headers
     end
@@ -178,7 +185,7 @@ module SecureHeaders
       content_security_policy_nonce(request, ContentSecurityPolicy::STYLE_SRC)
     end
 
-    # Public: Retreives the config for a given header type:
+    # Public: Retrieves the config for a given header type:
     #
     # Checks to see if there is an override for this request, then
     # Checks to see if a named override is used for this request, then
@@ -208,7 +215,7 @@ module SecureHeaders
 
     def config_and_target(request, target)
       config = config_for(request)
-      target = guess_target(config) unless target
+      target ||= guess_target(config)
       raise_on_unknown_target(target)
       [config, target]
     end
@@ -242,6 +249,23 @@ module SecureHeaders
     def override_secure_headers_request_config(request, config)
       request.env[SECURE_HEADERS_CONFIG] = config
     end
+
+    # Private: removes upgrade_insecure_requests directive from a CSP config
+    # if it's present, and updates the headers hash with the modified CSP.
+    #
+    # headers - the headers hash to update
+    # csp_config - the CSP config to check and potentially modify
+    #
+    # Returns nothing (modifies headers in place)
+    def remove_upgrade_insecure_requests_from_csp!(headers, csp_config)
+      return if csp_config.opt_out?
+      return unless csp_config.directive_value(ContentSecurityPolicy::UPGRADE_INSECURE_REQUESTS)
+
+      modified_config = csp_config.dup
+      modified_config.update_directive(ContentSecurityPolicy::UPGRADE_INSECURE_REQUESTS, false)
+      header_name, value = ContentSecurityPolicy.make_header(modified_config)
+      headers[header_name] = value if header_name && value
+    end
   end
 
   # These methods are mixed into controllers and delegate to the class method

data/lib/tasks/tasks.rake

@@ -1,58 +1,8 @@
 # frozen_string_literal: true
-INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx unless defined? INLINE_SCRIPT_REGEX
-INLINE_STYLE_REGEX = /(<style[^>]*>)(.*?)<\/style>/mx unless defined? INLINE_STYLE_REGEX
-INLINE_HASH_SCRIPT_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx unless defined? INLINE_HASH_SCRIPT_HELPER_REGEX
-INLINE_HASH_STYLE_HELPER_REGEX = /<%=\s?hashed_style_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx unless defined? INLINE_HASH_STYLE_HELPER_REGEX
+require "secure_headers/task_helper"
 
 namespace :secure_headers do
-  include SecureHeaders::HashHelper
-
-  def is_erb?(filename)
-    filename =~ /\.erb\Z/
-  end
-
-  def is_mustache?(filename)
-    filename =~ /\.mustache\Z/
-  end
-
-  def dynamic_content?(filename, inline_script)
-    (is_mustache?(filename) && inline_script =~ /\{\{.*\}\}/) ||
-      (is_erb?(filename) && inline_script =~ /<%.*%>/)
-  end
-
-  def find_inline_content(filename, regex, hashes, strip_trailing_whitespace)
-    file = File.read(filename)
-    file.scan(regex) do # TODO don't use gsub
-      inline_script = Regexp.last_match.captures.last
-      inline_script.gsub!(/(\r?\n)[\t ]+\z/, '\1') if strip_trailing_whitespace
-      if dynamic_content?(filename, inline_script)
-        puts "Looks like there's some dynamic content inside of a tag :-/"
-        puts "That pretty much means the hash value will never match."
-        puts "Code: " + inline_script
-        puts "=" * 20
-      end
-
-      hashes << hash_source(inline_script)
-    end
-  end
-
-  def generate_inline_script_hashes(filename)
-    hashes = []
-
-    find_inline_content(filename, INLINE_SCRIPT_REGEX, hashes, false)
-    find_inline_content(filename, INLINE_HASH_SCRIPT_HELPER_REGEX, hashes, true)
-
-    hashes
-  end
-
-  def generate_inline_style_hashes(filename)
-    hashes = []
-
-    find_inline_content(filename, INLINE_STYLE_REGEX, hashes, false)
-    find_inline_content(filename, INLINE_HASH_STYLE_HELPER_REGEX, hashes, true)
-
-    hashes
-  end
+  include SecureHeaders::TaskHelper
 
   desc "Generate #{SecureHeaders::Configuration::HASH_CONFIG_FILE}"
   task :generate_hashes do |t, args|
@@ -77,6 +27,7 @@ namespace :secure_headers do
       file.write(script_hashes.to_yaml)
     end
 
-    puts "Script hashes from " + script_hashes.keys.size.to_s + " files added to #{SecureHeaders::Configuration::HASH_CONFIG_FILE}"
+    file_count = (script_hashes["scripts"].keys + script_hashes["styles"].keys).uniq.count
+    puts "Script and style hashes from #{file_count} files added to #{SecureHeaders::Configuration::HASH_CONFIG_FILE}"
   end
 end