secure_headers 7.0.0 → 7.2.0

data/secure_headers.gemspec

@@ -14,10 +14,22 @@ Gem::Specification.new do |gem|
     including content-security-policy, x-frame-options,
     strict-transport-security, etc.'
   gem.homepage      = "https://github.com/github/secure_headers"
+  gem.metadata      = {
+    "bug_tracker_uri"   => "https://github.com/github/secure_headers/issues",
+    "changelog_uri"     => "https://github.com/github/secure_headers/blob/master/CHANGELOG.md",
+    "documentation_uri" => "https://rubydoc.info/gems/secure_headers",
+    "homepage_uri"      => gem.homepage,
+    "source_code_uri"   => "https://github.com/github/secure_headers",
+    "rubygems_mfa_required" => "true",
+  }
   gem.license       = "MIT"
-  gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
-  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
-  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+
+  gem.files         = Dir["bin/**/*", "lib/**/*", "README.md", "CHANGELOG.md", "LICENSE", "Gemfile", "secure_headers.gemspec"]
   gem.require_paths = ["lib"]
+
+  gem.extra_rdoc_files = Dir["README.md", "CHANGELOG.md", "LICENSE"]
+
+  gem.add_dependency "cgi", ">= 0.1"
+
   gem.add_development_dependency "rake"
 end

metadata

@@ -1,15 +1,28 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 7.0.0
+  version: 7.2.0
 platform: ruby
 authors:
 - Neil Matatall
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-10-16 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: cgi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -32,36 +45,15 @@ email:
 - neil.matatall@gmail.com
 executables: []
 extensions: []
-extra_rdoc_files: []
+extra_rdoc_files:
+- CHANGELOG.md
+- LICENSE
+- README.md
 files:
-- ".github/ISSUE_TEMPLATE.md"
-- ".github/PULL_REQUEST_TEMPLATE.md"
-- ".github/dependabot.yml"
-- ".github/workflows/build.yml"
-- ".github/workflows/github-release.yml"
-- ".gitignore"
-- ".rspec"
-- ".rubocop.yml"
-- ".ruby-gemset"
-- ".ruby-version"
 - CHANGELOG.md
-- CODE_OF_CONDUCT.md
-- CONTRIBUTING.md
 - Gemfile
-- Guardfile
 - LICENSE
 - README.md
-- Rakefile
-- docs/cookies.md
-- docs/hashes.md
-- docs/named_overrides_and_appends.md
-- docs/per_action_configuration.md
-- docs/sinatra.md
-- docs/upgrading-to-3-0.md
-- docs/upgrading-to-4-0.md
-- docs/upgrading-to-5-0.md
-- docs/upgrading-to-6-0.md
-- docs/upgrading-to-7-0.md
 - lib/secure_headers.rb
 - lib/secure_headers/configuration.rb
 - lib/secure_headers/hash_helper.rb
@@ -72,6 +64,7 @@ files:
 - lib/secure_headers/headers/expect_certificate_transparency.rb
 - lib/secure_headers/headers/policy_management.rb
 - lib/secure_headers/headers/referrer_policy.rb
+- lib/secure_headers/headers/reporting_endpoints.rb
 - lib/secure_headers/headers/strict_transport_security.rb
 - lib/secure_headers/headers/x_content_type_options.rb
 - lib/secure_headers/headers/x_download_options.rb
@@ -80,33 +73,22 @@ files:
 - lib/secure_headers/headers/x_xss_protection.rb
 - lib/secure_headers/middleware.rb
 - lib/secure_headers/railtie.rb
+- lib/secure_headers/task_helper.rb
 - lib/secure_headers/utils/cookies_config.rb
 - lib/secure_headers/version.rb
 - lib/secure_headers/view_helper.rb
 - lib/tasks/tasks.rake
 - secure_headers.gemspec
-- spec/lib/secure_headers/configuration_spec.rb
-- spec/lib/secure_headers/headers/clear_site_data_spec.rb
-- spec/lib/secure_headers/headers/content_security_policy_spec.rb
-- spec/lib/secure_headers/headers/cookie_spec.rb
-- spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
-- spec/lib/secure_headers/headers/policy_management_spec.rb
-- spec/lib/secure_headers/headers/referrer_policy_spec.rb
-- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
-- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
-- spec/lib/secure_headers/headers/x_download_options_spec.rb
-- spec/lib/secure_headers/headers/x_frame_options_spec.rb
-- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
-- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
-- spec/lib/secure_headers/middleware_spec.rb
-- spec/lib/secure_headers/view_helpers_spec.rb
-- spec/lib/secure_headers_spec.rb
-- spec/spec_helper.rb
 homepage: https://github.com/github/secure_headers
 licenses:
 - MIT
-metadata: {}
-post_install_message: 
+metadata:
+  bug_tracker_uri: https://github.com/github/secure_headers/issues
+  changelog_uri: https://github.com/github/secure_headers/blob/master/CHANGELOG.md
+  documentation_uri: https://rubydoc.info/gems/secure_headers
+  homepage_uri: https://github.com/github/secure_headers
+  source_code_uri: https://github.com/github/secure_headers
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -121,25 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Manages application of security headers with many safe defaults.
-test_files:
-- spec/lib/secure_headers/configuration_spec.rb
-- spec/lib/secure_headers/headers/clear_site_data_spec.rb
-- spec/lib/secure_headers/headers/content_security_policy_spec.rb
-- spec/lib/secure_headers/headers/cookie_spec.rb
-- spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
-- spec/lib/secure_headers/headers/policy_management_spec.rb
-- spec/lib/secure_headers/headers/referrer_policy_spec.rb
-- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
-- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
-- spec/lib/secure_headers/headers/x_download_options_spec.rb
-- spec/lib/secure_headers/headers/x_frame_options_spec.rb
-- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
-- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
-- spec/lib/secure_headers/middleware_spec.rb
-- spec/lib/secure_headers/view_helpers_spec.rb
-- spec/lib/secure_headers_spec.rb
-- spec/spec_helper.rb
+test_files: []

data/.github/ISSUE_TEMPLATE.md

@@ -1,41 +0,0 @@
-# Feature Requests
-
-## Adding a new header
-
-Generally, adding a new header is always OK. 
-
-* Is the header supported by any user agent? If so, which?
-* What does it do?
-* What are the valid values for the header?
-* Where does the specification live?
-
-## Adding a new CSP directive
-
-* Is the directive supported by any user agent? If so, which?
-* What does it do?
-* What are the valid values for the directive?
-
----
-
-# Bugs
-
-Console errors and deprecation warnings are considered bugs that should be addressed with more precise UA sniffing. Bugs caused by incorrect or invalid UA sniffing are also bugs.
-
-### Expected outcome
-
-Describe what you expected to happen 
-
-1. I configure CSP to do X
-1. When I inspect the response headers, the CSP should have included X
-
-### Actual outcome
-
-1. The generated policy did not include X
-
-### Config
-
-Please provide the configuration (`SecureHeaders::Configuration.default`) you are using including any overrides (`SecureHeaders::Configuration.override`).
-
-### Generated headers
-
-Provide a sample response containing the headers

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -1,20 +0,0 @@
-## All PRs:
-
-* [ ] Has tests
-* [ ] Documentation updated
-
-## Adding a new header
-
-Generally, adding a new header is always OK.
-
-* Is the header supported by any user agent? If so, which?
-* What does it do?
-* What are the valid values for the header?
-* Where does the specification live?
-
-## Adding a new CSP directive
-
-* Is the directive supported by any user agent? If so, which?
-* What does it do?
-* What are the valid values for the directive?
-

data/.github/dependabot.yml

@@ -1,6 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"

data/.github/workflows/build.yml

@@ -1,25 +0,0 @@
-name: Build + Test
-on: [pull_request, push]
-
-permissions:
-  contents: read
-
-jobs:
-  build:
-    name: Build + Test
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
-
-    steps:
-    - uses: actions/checkout@v4
-    - name: Set up Ruby ${{ matrix.ruby }}
-      uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 #v1.190.0 tag
-      with:
-        ruby-version: ${{ matrix.ruby }}
-        bundler-cache: true
-    - name: Build and test with Rake
-      run: |
-        bundle exec rubocop
-        bundle exec rspec spec

data/.github/workflows/github-release.yml

@@ -1,28 +0,0 @@
-name: GitHub Release
-
-on:
-  push:
-    tags:
-      - v*
-
-jobs:
-  Publish:
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/v')
-    steps:
-      - name: Calculate release name
-        run: |
-          GITHUB_REF=${{ github.ref }}
-          RELEASE_NAME=${GITHUB_REF#"refs/tags/"}
-          echo "RELEASE_NAME=${RELEASE_NAME}" >> $GITHUB_ENV
-      - name: Publish release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ env.RELEASE_NAME }}
-          draft: false
-          prerelease: false

data/.gitignore

@@ -1,13 +0,0 @@
-*.gem
-*.DS_STORE
-*.rbc
-.bundle
-.config
-.yardoc
-*.log
-Gemfile.lock
-_yardoc
-coverage
-pkg
-rdoc
-spec/reports

data/.rspec

@@ -1,3 +0,0 @@
---order rand
---warnings
---format progress

data/.rubocop.yml

@@ -1,4 +0,0 @@
-inherit_gem:
-  rubocop-github:
-    - config/default.yml
-require: rubocop-performance

data/.ruby-gemset

@@ -1 +0,0 @@
-secureheaders

data/.ruby-version

@@ -1 +0,0 @@
-3.1.1

data/CODE_OF_CONDUCT.md

@@ -1,46 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment include:
-
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery and unwelcome sexual attention or advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at neil.matatall@gmail.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
-
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/

data/CONTRIBUTING.md

@@ -1,41 +0,0 @@
-## Contributing
-
-[fork]: https://github.com/twitter/secureheaders/fork
-[pr]: https://github.com/twitter/secureheaders/compare
-[style]: https://github.com/styleguide/ruby
-[code-of-conduct]: CODE_OF_CONDUCT.md
-
-Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
-
-Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms.
-
-## Submitting a pull request
-
-0. [Fork][fork] and clone the repository
-0. Configure and install the dependencies: `bundle install`
-0. Make sure the tests pass on your machine: `bundle exec rspec spec`
-0. Create a new branch: `git checkout -b my-branch-name`
-0. Make your change, add tests, and make sure the tests still pass and that no warnings are raised
-0. Push to your fork and [submit a pull request][pr]
-0. Pat your self on the back and wait for your pull request to be reviewed and merged.
-
-Here are a few things you can do that will increase the likelihood of your pull request being accepted:
-
-- Write tests.
-- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
-- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
-
-## Releasing
-
-0. Ensure CI is green
-0. Pull the latest code
-0. Increment the version
-0. Run `gem build secure_headers.gemspec`
-0. Bump the Gemfile and Gemfile.lock versions for an app which relies on this gem
-0. Test behavior locally, branch deploy, whatever needs to happen
-0. Run `bundle exec rake release`
-
-## Resources
-
-- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
-- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)

data/Guardfile

@@ -1,13 +0,0 @@
-# frozen_string_literal: true
-guard :rspec, cmd: "bundle exec rspec", all_on_start: true, all_after_pass: true do
-  require "guard/rspec/dsl"
-  dsl = Guard::RSpec::Dsl.new(self)
-
-  # RSpec files
-  rspec = dsl.rspec
-  watch(rspec.spec_helper) { rspec.spec_dir }
-  watch(rspec.spec_support) { rspec.spec_dir }
-  watch(rspec.spec_files)
-
-  watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
-end

data/Rakefile

@@ -1,32 +0,0 @@
-#!/usr/bin/env rake
-# frozen_string_literal: true
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
-require "net/http"
-require "net/https"
-
-RSpec::Core::RakeTask.new
-
-begin
-  require "rdoc/task"
-rescue LoadError
-  require "rdoc/rdoc"
-  require "rake/rdoctask"
-  RDoc::Task = Rake::RDocTask
-end
-
-begin
-  require "rubocop/rake_task"
-  RuboCop::RakeTask.new
-rescue LoadError
-  task(:rubocop) { $stderr.puts "RuboCop is disabled" }
-end
-
-RDoc::Task.new(:rdoc) do |rdoc|
-  rdoc.rdoc_dir = "rdoc"
-  rdoc.title    = "SecureHeaders"
-  rdoc.options << "--line-numbers"
-  rdoc.rdoc_files.include("lib/**/*.rb")
-end
-
-task default: [:spec, :rubocop]

data/docs/cookies.md

@@ -1,65 +0,0 @@
-## Cookies
-
-SecureHeaders supports `Secure`, `HttpOnly` and [`SameSite`](https://tools.ietf.org/html/draft-west-first-party-cookies-07) cookies. These can be defined in the form of a boolean, or as a Hash for more refined configuration.
-
-__Note__: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests.
-
-#### Defaults
-
-By default, all cookies will get both `Secure`, `HttpOnly`, and `SameSite=Lax`.
-
-```ruby
-config.cookies = {
-  secure: true, # defaults to true but will be a no op on non-HTTPS requests
-  httponly: true, # defaults to true
-  samesite: {  # defaults to set `SameSite=Lax`
-    lax: true
-  }
-}
-```
-
-#### Boolean-based configuration
-
-Boolean-based configuration is intended to globally enable or disable a specific cookie attribute. *Note: As of 4.0, you must use OPT_OUT rather than false to opt out of the defaults.*
-
-```ruby
-config.cookies = {
-  secure: true, # mark all cookies as Secure
-  httponly: SecureHeaders::OPT_OUT, # do not mark any cookies as HttpOnly
-}
-```
-
-#### Hash-based configuration
-
-Hash-based configuration allows for fine-grained control.
-
-```ruby
-config.cookies = {
-  secure: { except: ['_guest'] }, # mark all but the `_guest` cookie as Secure
-  httponly: { only: ['_rails_session'] }, # only mark the `_rails_session` cookie as HttpOnly
-}
-```
-
-#### SameSite cookie configuration
-
-SameSite cookies permit either `Strict` or `Lax` enforcement mode options.
-
-```ruby
-config.cookies = {
-  samesite: {
-    strict: true # mark all cookies as SameSite=Strict
-  }
-}
-```
-
-`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
-
-```ruby
-config.cookies = {
-  samesite: {
-    strict: { only: ['session_id_duplicate'] },
-    lax: { only: ['_guest', '_rails_session', 'device_id'] },
-    none: { only: ['_tracking', 'saml_cookie', 'session_id'] },
-  }
-}
-```

data/docs/hashes.md

@@ -1,64 +0,0 @@
-## Hash
-
-`script`/`style-src` hashes can be used to whitelist inline content that is static. This has the benefit of allowing inline content without opening up the possibility of dynamic javascript like you would with a `nonce`.
-
-You can add hash sources directly to your policy :
-
-```ruby
-::SecureHeaders::Configuration.default do |config|
-   config.csp = {
-     default_src: %w('self')
-
-     # this is a made up value but browsers will show the expected hash in the console.
-     script_src: %w(sha256-123456)
-   }
- end
- ```
-
- You can also use the automated inline script detection/collection/computation of hash source values in your app.
-
- ```bash
- rake secure_headers:generate_hashes
- ```
-
- This will generate a file (`config/secure_headers_generated_hashes.yml` by default, you can override by setting `ENV["secure_headers_generated_hashes_file"]`) containing a mapping of file names with the array of hash values found on that page. When ActionView renders a given file, we check if there are any known hashes for that given file. If so, they are added as values to the header.
-
-```yaml
----
-scripts:
-  app/views/asdfs/index.html.erb:
-  - "'sha256-yktKiAsZWmc8WpOyhnmhQoDf9G2dAZvuBBC+V0LGQhg='"
-styles:
-  app/views/asdfs/index.html.erb:
-  - "'sha256-SLp6LO3rrKDJwsG9uJUxZapb4Wp2Zhj6Bu3l+d9rnAY='"
-  - "'sha256-HSGHqlRoKmHAGTAJ2Rq0piXX4CnEbOl1ArNd6ejp2TE='"
-```
-
-##### Helpers
-
-**This will not compute dynamic hashes** by design. The output of both helpers will be a plain `script`/`style` tag without modification and the known hashes for a given file will be added to `script-src`/`style-src` when `hashed_javascript_tag` and `hashed_style_tag` are used. You can use `raise_error_on_unrecognized_hash = true` to be extra paranoid that you have precomputed hash values for all of your inline content. By default, this will raise an error in non-production environments.
-
-```erb
-<%= hashed_style_tag do %>
-body {
-  background-color: black;
-}
-<% end %>
-
-<%= hashed_style_tag do %>
-body {
-  font-size: 30px;
-  font-color: green;
-}
-<% end %>
-
-<%= hashed_javascript_tag do %>
-console.log(1)
-<% end %>
-```
-
-```
-Content-Security-Policy: ...
- script-src 'sha256-yktKiAsZWmc8WpOyhnmhQoDf9G2dAZvuBBC+V0LGQhg=' ... ;
- style-src 'sha256-SLp6LO3rrKDJwsG9uJUxZapb4Wp2Zhj6Bu3l+d9rnAY=' 'sha256-HSGHqlRoKmHAGTAJ2Rq0piXX4CnEbOl1ArNd6ejp2TE=' ...;
-```