secure_headers 7.1.0 → 7.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 484062b599a7d8ca3ad93c0b91bd6f88b9f80eb7b3f5106fbb4b94b0ae7a82f9
-  data.tar.gz: 68c9dc56b62c0d0c77f166e08ae24e6f13dadcda1a9ebaff8b18e4dad0177fa9
+  metadata.gz: 3c43b0dda7b2739b7309a887a98fb5a7c81120fd10d3f7eec5b15ad5afb3ef05
+  data.tar.gz: d33d9f60cbd50e3085d1b5f0946007af6cd0f56ad179bbf393c2713151f490d1
 SHA512:
-  metadata.gz: 63969aa532b3aa321b2e848764e1ddcbbd9e36fc57bd0e2d98bb4f8ede7c94e32ec6d2aef3f81581d99c1bc623c108d159be635e8df238390304077360fa6f9f
-  data.tar.gz: fbc1a3a713680ac487ad16185176ebb5cbdce5416bdd9e765faf0757aa0c10a8ef71b825225bfaf40a66c16ce955edacb2deeedc910e14264bd5b8469be8805d
+  metadata.gz: afca952f75511ad4d5e0d6c9513fa68560fe5ed1843c445986fba36a3fca6fbf2fc192279f0341a917ac85ca89af19eb7c199b76ce57e93bed54875e3bd24f7d
+  data.tar.gz: eb9138a561acea12ed129f152425861e6405b3df999393c5dcf9bd99f5405a0f1a328dfee47c638a85333b1d71ff6e9ce9ebfaad954d84f9f984454a20958a53

data/CHANGELOG.md

@@ -70,7 +70,7 @@ NOTE: this version is a breaking change due to the removal of HPKP. Remove the H
 
 ## 5.0.0
 
-Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](docs/upgrading-to-5-0.md) guide.
+Well this is a little embarrassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](docs/upgrading-to-5-0.md) guide.
 
 ## 4.0.1
 
@@ -194,7 +194,7 @@ end
 
 ## 3.4.0 the frame-src/child-src transition for Firefox.
 
-Handle the `child-src`/`frame-src` transition semi-intelligently across versions. I think the code best descibes the behavior here:
+Handle the `child-src`/`frame-src` transition semi-intelligently across versions. I think the code best describes the behavior here:
 
 ```ruby
 if supported_directives.include?(:child_src)

data/README.md

@@ -1,4 +1,4 @@
-# Secure Headers ![Build + Test](https://github.com/github/secure_headers/workflows/Build%20+%20Test/badge.svg?branch=main)
+# Secure Headers [![Build + Test](https://github.com/github/secure_headers/actions/workflows/build.yml/badge.svg)](https://github.com/github/secure_headers/actions/workflows/build.yml)
 
 **main branch represents 7.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), [upgrading to 6.x doc](docs/upgrading-to-6-0.md) or [upgrading to 7.x doc](docs/upgrading-to-7-0.md) for instructions on how to upgrade. Bug fixes should go in the `6.x` branch for now.
 
@@ -88,9 +88,50 @@ SecureHeaders::Configuration.default do |config|
     img_src: %w(somewhereelse.com),
     report_uri: %w(https://report-uri.io/example-csp-report-only)
   })
+
+  # Optional: Use the modern report-to directive (with Reporting-Endpoints header)
+  config.csp = config.csp.merge({
+    report_to: "csp-endpoint"
+  })
+
+  # When using report-to, configure the reporting endpoints header
+  config.reporting_endpoints = {
+    "csp-endpoint": "https://report-uri.io/example-csp",
+    "csp-report-only": "https://report-uri.io/example-csp-report-only"
+  }
 end
 ```
 
+### CSP Reporting
+
+SecureHeaders supports both the legacy `report-uri` and the modern `report-to` directives for CSP violation reporting:
+
+#### report-uri (Legacy)
+The `report-uri` directive sends violations to a URL endpoint. It's widely supported but limited to POST requests with JSON payloads.
+
+```ruby
+config.csp = {
+  default_src: %w('self'),
+  report_uri: %w(https://example.com/csp-report)
+}
+```
+
+#### report-to (Modern)
+The `report-to` directive specifies a named reporting endpoint defined in the `Reporting-Endpoints` header. This enables more flexible reporting through the HTTP Reporting API standard.
+
+```ruby
+config.csp = {
+  default_src: %w('self'),
+  report_to: "csp-endpoint"
+}
+
+config.reporting_endpoints = {
+  "csp-endpoint": "https://example.com/reports"
+}
+```
+
+**Recommendation:** Use both `report-uri` and `report-to` for maximum compatibility while transitioning to the modern approach.
+
 ### Deprecated Configuration Values
 * `block_all_mixed_content` - this value is deprecated in favor of `upgrade_insecure_requests`. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content for more information.
 
@@ -125,6 +166,29 @@ end
 
 However, I would consider these headers anyways depending on your load and bandwidth requirements.
 
+## Disabling secure_headers
+
+If you want to disable `secure_headers` entirely (e.g., for specific environments or deployment scenarios), you can use `Configuration.disable!`:
+
+```ruby
+if ENV["ENABLE_STRICT_HEADERS"]
+  SecureHeaders::Configuration.default do |config|
+    # your configuration here
+  end
+else
+  SecureHeaders::Configuration.disable!
+end
+```
+
+**Important**: This configuration must be set during application startup (e.g., in an initializer). Once you call either `Configuration.default` or `Configuration.disable!`, the choice cannot be changed at runtime. Attempting to call `disable!` after `default` (or vice versa) will raise an `AlreadyConfiguredError`.
+
+When disabled, no security headers will be set by the gem. This is useful when:
+- You're gradually rolling out secure_headers across different customers or deployments
+- You need to migrate existing custom headers to secure_headers
+- You want environment-specific control over security headers
+
+Note: When `disable!` is used, you don't need to configure a default configuration. The gem will not raise a `NotYetConfiguredError`.
+
 ## Acknowledgements
 
 This project originated within the Security team at Twitter. An archived fork from the point of transition is here: https://github.com/twitter-archive/secure_headers.

data/lib/secure_headers/configuration.rb

@@ -9,23 +9,53 @@ module SecureHeaders
     class NotYetConfiguredError < StandardError; end
     class IllegalPolicyModificationError < StandardError; end
     class << self
+      # Public: Disable secure_headers entirely. When disabled, no headers will be set.
+      #
+      # Note: This must be called before Configuration.default. Calling it after
+      # Configuration.default has been set will raise an AlreadyConfiguredError.
+      #
+      # Returns nothing
+      # Raises AlreadyConfiguredError if Configuration.default has already been called
+      def disable!
+        if defined?(@default_config)
+          raise AlreadyConfiguredError, "Configuration already set, cannot disable"
+        end
+
+        @disabled = true
+        @noop_config = create_noop_config.freeze
+
+        # Ensure the built-in NOOP override is available even if `default` has never been called
+        @overrides ||= {}
+        unless @overrides.key?(NOOP_OVERRIDE)
+          @overrides[NOOP_OVERRIDE] = method(:create_noop_config_block)
+        end
+      end
+
+      # Public: Check if secure_headers is disabled
+      #
+      # Returns boolean
+      def disabled?
+        defined?(@disabled) && @disabled
+      end
+
       # Public: Set the global default configuration.
       #
       # Optionally supply a block to override the defaults set by this library.
       #
       # Returns the newly created config.
+      # Raises AlreadyConfiguredError if Configuration.disable! has already been called
       def default(&block)
+        if disabled?
+          raise AlreadyConfiguredError, "Configuration has been disabled, cannot set default"
+        end
+
         if defined?(@default_config)
           raise AlreadyConfiguredError, "Policy already configured"
         end
 
         # Define a built-in override that clears all configuration options and
         # results in no security headers being set.
-        override(NOOP_OVERRIDE) do |config|
-          CONFIG_ATTRIBUTES.each do |attr|
-            config.instance_variable_set("@#{attr}", OPT_OUT)
-          end
-        end
+        override(NOOP_OVERRIDE, &method(:create_noop_config_block))
 
         new_config = new(&block).freeze
         new_config.validate_config!
@@ -35,7 +65,7 @@ module SecureHeaders
 
       # Public: create a named configuration that overrides the default config.
       #
-      # name - use an idenfier for the override config.
+      # name - use an identifier for the override config.
       # base - override another existing config, or override the default config
       # if no value is supplied.
       #
@@ -101,6 +131,7 @@ module SecureHeaders
       # of ensuring that the default config is never mutated and is dup(ed)
       # before it is used in a request.
       def default_config
+        return @noop_config if disabled?
         unless defined?(@default_config)
           raise NotYetConfiguredError, "Default policy not yet configured"
         end
@@ -116,6 +147,19 @@ module SecureHeaders
           value
         end
       end
+
+      # Private: Creates a NOOP configuration that opts out of all headers
+      def create_noop_config
+        new(&method(:create_noop_config_block))
+      end
+
+      # Private: Block for creating NOOP configuration
+      # Used by both create_noop_config and the NOOP_OVERRIDE mechanism
+      def create_noop_config_block(config)
+        CONFIG_ATTRIBUTES.each do |attr|
+          config.instance_variable_set("@#{attr}", OPT_OUT)
+        end
+      end
     end
 
     CONFIG_ATTRIBUTES_TO_HEADER_CLASSES = {
@@ -131,6 +175,7 @@ module SecureHeaders
       csp: ContentSecurityPolicy,
       csp_report_only: ContentSecurityPolicy,
       cookies: Cookie,
+      reporting_endpoints: ReportingEndpoints,
     }.freeze
 
     CONFIG_ATTRIBUTES = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys.freeze
@@ -167,6 +212,7 @@ module SecureHeaders
       @x_permitted_cross_domain_policies = nil
       @x_xss_protection = nil
       @expect_certificate_transparency = nil
+      @reporting_endpoints = nil
 
       self.referrer_policy = OPT_OUT
       self.csp = ContentSecurityPolicyConfig.new(ContentSecurityPolicyConfig::DEFAULT)
@@ -192,6 +238,7 @@ module SecureHeaders
       copy.clear_site_data = @clear_site_data
       copy.expect_certificate_transparency = @expect_certificate_transparency
       copy.referrer_policy = @referrer_policy
+      copy.reporting_endpoints = self.class.send(:deep_copy_if_hash, @reporting_endpoints)
       copy
     end
 

data/lib/secure_headers/headers/clear_site_data.rb

@@ -11,43 +11,41 @@ module SecureHeaders
     EXECUTION_CONTEXTS = "executionContexts".freeze
     ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
 
-    class << self
-      # Public: make an clear-site-data header name, value pair
-      #
-      # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config = nil, user_agent = nil)
-        case config
-        when nil, OPT_OUT, []
-          # noop
-        when Array
-          [HEADER_NAME, make_header_value(config)]
-        when true
-          [HEADER_NAME, make_header_value(ALL_TYPES)]
-        end
+    # Public: make an clear-site-data header name, value pair
+    #
+    # Returns nil if not configured, returns header name and value if configured.
+    def self.make_header(config = nil, user_agent = nil)
+      case config
+      when nil, OPT_OUT, []
+        # noop
+      when Array
+        [HEADER_NAME, make_header_value(config)]
+      when true
+        [HEADER_NAME, make_header_value(ALL_TYPES)]
       end
+    end
 
-      def validate_config!(config)
-        case config
-        when nil, OPT_OUT, true
-          # valid
-        when Array
-          unless config.all? { |t| t.is_a?(String) }
-            raise ClearSiteDataConfigError.new("types must be Strings")
-          end
-        else
-          raise ClearSiteDataConfigError.new("config must be an Array of Strings or `true`")
+    def self.validate_config!(config)
+      case config
+      when nil, OPT_OUT, true
+        # valid
+      when Array
+        unless config.all? { |t| t.is_a?(String) }
+          raise ClearSiteDataConfigError.new("types must be Strings")
         end
+      else
+        raise ClearSiteDataConfigError.new("config must be an Array of Strings or `true`")
       end
+    end
 
-      # Public: Transform a clear-site-data config (an Array of Strings) into a
-      # String that can be used as the value for the clear-site-data header.
-      #
-      # types - An Array of String of types of data to clear.
-      #
-      # Returns a String of quoted values that are comma separated.
-      def make_header_value(types)
-        types.map { |t| %("#{t}") }.join(", ")
-      end
+    # Public: Transform a clear-site-data config (an Array of Strings) into a
+    # String that can be used as the value for the clear-site-data header.
+    #
+    # types - An Array of String of types of data to clear.
+    #
+    # Returns a String of quoted values that are comma separated.
+    def self.make_header_value(types)
+      types.map { |t| %("#{t}") }.join(", ")
     end
   end
 end

data/lib/secure_headers/headers/content_security_policy.rb

@@ -63,6 +63,8 @@ module SecureHeaders
           build_sandbox_list_directive(directive_name)
         when :media_type_list
           build_media_type_list_directive(directive_name)
+        when :report_to_endpoint
+          build_report_to_directive(directive_name)
         end
       end.compact.join("; ")
     end
@@ -79,7 +81,7 @@ module SecureHeaders
       end
 
       # A maximally strict sandbox policy is just the `sandbox` directive,
-      # whith no configuraiton values.
+      # with no configuration values.
       if max_strict_policy
         symbol_to_hyphen_case(directive)
       elsif sandbox_list && sandbox_list.any?
@@ -100,6 +102,13 @@ module SecureHeaders
       end
     end
 
+    def build_report_to_directive(directive)
+      return unless endpoint_name = @config.directive_value(directive)
+      if endpoint_name && endpoint_name.is_a?(String) && !endpoint_name.empty?
+        [symbol_to_hyphen_case(directive), endpoint_name].join(" ")
+      end
+    end
+
     # Private: builds a string that represents one directive in a minified form.
     #
     # directive_name - a symbol representing the various ALL_DIRECTIVES
@@ -120,7 +129,7 @@ module SecureHeaders
     end
 
     # If a directive contains *, all other values are omitted.
-    # If a directive contains 'none' but has other values, 'none' is ommitted.
+    # If a directive contains 'none' but has other values, 'none' is omitted.
     # Schemes are stripped (see http://www.w3.org/TR/CSP2/#match-source-expression)
     def minify_source_list(directive, source_list)
       source_list = source_list.compact
@@ -129,6 +138,7 @@ module SecureHeaders
       else
         source_list = populate_nonces(directive, source_list)
         source_list = reject_all_values_if_none(source_list)
+        source_list = normalize_uri_paths(source_list)
 
         unless directive == REPORT_URI || @preserve_schemes
           source_list = strip_source_schemes(source_list)
@@ -151,6 +161,26 @@ module SecureHeaders
       end
     end
 
+    def normalize_uri_paths(source_list)
+      source_list.map do |source|
+        # Normalize domains ending in a single / as without omitting the slash accomplishes the same.
+        # https://www.w3.org/TR/CSP3/#match-paths § 6.6.2.10 Step 2
+        begin
+          uri = URI(source)
+          if uri.path == "/"
+            next source.chomp("/")
+          end
+        rescue URI::InvalidURIError
+        end
+
+        if source.chomp("/").include?("/")
+          source
+        else
+          source.chomp("/")
+        end
+      end
+    end
+
     # Private: append a nonce to the script/style directories if script_nonce
     # or style_nonce are provided.
     def populate_nonces(directive, source_list)
@@ -179,11 +209,12 @@ module SecureHeaders
     end
 
     # Private: return the list of directives,
-    # starting with default-src and ending with report-uri.
+    # starting with default-src and ending with reporting directives (alphabetically ordered).
     def directives
       [
         DEFAULT_SRC,
         BODY_DIRECTIVES,
+        REPORT_TO,
         REPORT_URI,
       ].flatten
     end

data/lib/secure_headers/headers/cookie.rb

@@ -7,10 +7,8 @@ module SecureHeaders
   class CookiesConfigError < StandardError; end
   class Cookie
 
-    class << self
-      def validate_config!(config)
-        CookiesConfig.new(config).validate!
-      end
+    def self.validate_config!(config)
+      CookiesConfig.new(config).validate!
     end
 
     attr_reader :raw_cookie, :config

data/lib/secure_headers/headers/expect_certificate_transparency.rb

@@ -9,31 +9,29 @@ module SecureHeaders
     REQUIRED_MAX_AGE_ERROR      = "max-age is a required directive.".freeze
     INVALID_MAX_AGE_ERROR       = "max-age must be a number.".freeze
 
-    class << self
-      # Public: Generate a expect-ct header.
-      #
-      # Returns nil if not configured, returns header name and value if
-      # configured.
-      def make_header(config, use_agent = nil)
-        return if config.nil? || config == OPT_OUT
+    # Public: Generate a expect-ct header.
+    #
+    # Returns nil if not configured, returns header name and value if
+    # configured.
+    def self.make_header(config, use_agent = nil)
+      return if config.nil? || config == OPT_OUT
 
-        header = new(config)
-        [HEADER_NAME, header.value]
-      end
+      header = new(config)
+      [HEADER_NAME, header.value]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
 
-        unless [true, false, nil].include?(config[:enforce])
-          raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
-        end
+      unless [true, false, nil].include?(config[:enforce])
+        raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
+      end
 
-        if !config[:max_age]
-          raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
-        elsif config[:max_age].to_s !~ /\A\d+\z/
-          raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
-        end
+      if !config[:max_age]
+        raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
+      elsif config[:max_age].to_s !~ /\A\d+\z/
+        raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
       end
     end
 

data/lib/secure_headers/headers/policy_management.rb

@@ -39,6 +39,7 @@ module SecureHeaders
     SCRIPT_SRC = :script_src
     STYLE_SRC = :style_src
     REPORT_URI = :report_uri
+    REPORT_TO = :report_to
 
     DIRECTIVES_1_0 = [
       DEFAULT_SRC,
@@ -51,7 +52,8 @@ module SecureHeaders
       SANDBOX,
       SCRIPT_SRC,
       STYLE_SRC,
-      REPORT_URI
+      REPORT_URI,
+      REPORT_TO
     ].freeze
 
     BASE_URI = :base_uri
@@ -110,9 +112,9 @@ module SecureHeaders
 
     ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_EXPERIMENTAL).uniq.sort
 
-    # Think of default-src and report-uri as the beginning and end respectively,
+    # Think of default-src and report-uri/report-to as the beginning and end respectively,
     # everything else is in between.
-    BODY_DIRECTIVES = ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI]
+    BODY_DIRECTIVES = ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI, REPORT_TO]
 
     DIRECTIVE_VALUE_TYPES = {
       BASE_URI                  => :source_list,
@@ -129,10 +131,11 @@ module SecureHeaders
       NAVIGATE_TO               => :source_list,
       OBJECT_SRC                => :source_list,
       PLUGIN_TYPES              => :media_type_list,
+      PREFETCH_SRC              => :source_list,
+      REPORT_TO                 => :report_to_endpoint,
+      REPORT_URI                => :source_list,
       REQUIRE_SRI_FOR           => :require_sri_for_list,
       REQUIRE_TRUSTED_TYPES_FOR => :require_trusted_types_for_list,
-      REPORT_URI                => :source_list,
-      PREFETCH_SRC              => :source_list,
       SANDBOX                   => :sandbox_list,
       SCRIPT_SRC                => :source_list,
       SCRIPT_SRC_ELEM           => :source_list,
@@ -158,6 +161,7 @@ module SecureHeaders
       FORM_ACTION,
       FRAME_ANCESTORS,
       NAVIGATE_TO,
+      REPORT_TO,
       REPORT_URI,
     ]
 
@@ -201,7 +205,7 @@ module SecureHeaders
 
       # Public: Validates each source expression.
       #
-      # Does not validate the invididual values of the source expression (e.g.
+      # Does not validate the individual values of the source expression (e.g.
       # script_src => h*t*t*p: will not raise an exception)
       def validate_config!(config)
         return if config.nil? || config.opt_out?
@@ -344,6 +348,8 @@ module SecureHeaders
           validate_require_sri_source_expression!(directive, value)
         when :require_trusted_types_for_list
           validate_require_trusted_types_for_source_expression!(directive, value)
+        when :report_to_endpoint
+          validate_report_to_endpoint_expression!(directive, value)
         else
           raise ContentSecurityPolicyConfigError.new("Unknown directive #{directive}")
         end
@@ -398,11 +404,23 @@ module SecureHeaders
         end
       end
 
+      # Private: validates that a report-to endpoint expression:
+      # 1. is a string
+      # 2. is not empty
+      def validate_report_to_endpoint_expression!(directive, endpoint_name)
+        unless endpoint_name.is_a?(String)
+          raise ContentSecurityPolicyConfigError.new("#{directive} must be a string. Found #{endpoint_name.class} value")
+        end
+        if endpoint_name.empty?
+          raise ContentSecurityPolicyConfigError.new("#{directive} must not be empty")
+        end
+      end
+
       # Private: validates that a source expression:
       # 1. is an array of strings
       # 2. does not contain any deprecated, now invalid values (inline, eval, self, none)
       #
-      # Does not validate the invididual values of the source expression (e.g.
+      # Does not validate the individual values of the source expression (e.g.
       # script_src => h*t*t*p: will not raise an exception)
       def validate_source_expression!(directive, source_expression)
         if source_expression != OPT_OUT

data/lib/secure_headers/headers/referrer_policy.rb

@@ -15,29 +15,27 @@ module SecureHeaders
       unsafe-url
     )
 
-    class << self
-      # Public: generate an Referrer Policy header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        config ||= DEFAULT_VALUE
-        [HEADER_NAME, Array(config).join(", ")]
-      end
+    # Public: generate an Referrer Policy header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      config ||= DEFAULT_VALUE
+      [HEADER_NAME, Array(config).join(", ")]
+    end
 
-      def validate_config!(config)
-        case config
-        when nil, OPT_OUT
-          # valid
-        when String, Array
-          config = Array(config)
-          unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
-            raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
-          end
-        else
-          raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
+    def self.validate_config!(config)
+      case config
+      when nil, OPT_OUT
+        # valid
+      when String, Array
+        config = Array(config)
+        unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
+          raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
         end
+      else
+        raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
       end
     end
   end

data/lib/secure_headers/headers/reporting_endpoints.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+module SecureHeaders
+  class ReportingEndpointsConfigError < StandardError; end
+  class ReportingEndpoints
+    HEADER_NAME = "reporting-endpoints".freeze
+
+    class << self
+      # Public: generate a Reporting-Endpoints header.
+      #
+      # The config should be a Hash of endpoint names to URLs.
+      # Example: { "csp-endpoint" => "https://example.com/reports" }
+      #
+      # Returns nil if config is OPT_OUT or nil, or a header name and
+      # formatted header value based on the config.
+      def make_header(config = nil)
+        return if config.nil? || config == OPT_OUT
+        validate_config!(config)
+        [HEADER_NAME, format_endpoints(config)]
+      end
+
+      def validate_config!(config)
+        case config
+        when nil, OPT_OUT
+          # valid
+        when Hash
+          config.each_pair do |name, url|
+            if name.is_a?(Symbol)
+              name = name.to_s
+            end
+            unless name.is_a?(String) && !name.empty?
+              raise ReportingEndpointsConfigError.new("Endpoint name must be a non-empty string, got: #{name.inspect}")
+            end
+            unless url.is_a?(String) && !url.empty?
+              raise ReportingEndpointsConfigError.new("Endpoint URL must be a non-empty string, got: #{url.inspect}")
+            end
+            unless url.start_with?("https://")
+              raise ReportingEndpointsConfigError.new("Endpoint URLs must use https, got: #{url.inspect}")
+            end
+          end
+        else
+          raise TypeError.new("Must be a Hash of endpoint names to URLs. Found #{config.class}: #{config}")
+        end
+      end
+
+      private
+
+      def format_endpoints(config)
+        config.map do |name, url|
+          %{#{name}="#{url}"}
+        end.join(", ")
+      end
+    end
+  end
+end

data/lib/secure_headers/headers/strict_transport_security.rb

@@ -9,21 +9,19 @@ module SecureHeaders
     VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
     MESSAGE = "The config value supplied for the HSTS header was invalid. Must match #{VALID_STS_HEADER}"
 
-    class << self
-      # Public: generate an hsts header name, value pair.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an hsts header name, value pair.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config} #{config.class}") unless config.is_a?(String)
-        raise STSConfigError.new(MESSAGE) unless config =~ VALID_STS_HEADER
-      end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config} #{config.class}") unless config.is_a?(String)
+      raise STSConfigError.new(MESSAGE) unless config =~ VALID_STS_HEADER
     end
   end
 end

data/lib/secure_headers/headers/x_content_type_options.rb

@@ -6,22 +6,20 @@ module SecureHeaders
     HEADER_NAME = "x-content-type-options".freeze
     DEFAULT_VALUE = "nosniff"
 
-    class << self
-      # Public: generate an X-Content-Type-Options header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an X-Content-Type-Options header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless config.casecmp(DEFAULT_VALUE) == 0
-          raise XContentTypeOptionsConfigError.new("Value can only be nil or 'nosniff'")
-        end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      unless config.casecmp(DEFAULT_VALUE) == 0
+        raise XContentTypeOptionsConfigError.new("Value can only be nil or 'nosniff'")
       end
     end
   end

data/lib/secure_headers/headers/x_download_options.rb

@@ -5,22 +5,20 @@ module SecureHeaders
     HEADER_NAME = "x-download-options".freeze
     DEFAULT_VALUE = "noopen"
 
-    class << self
-      # Public: generate an x-download-options header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an x-download-options header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless config.casecmp(DEFAULT_VALUE) == 0
-          raise XDOConfigError.new("Value can only be nil or 'noopen'")
-        end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      unless config.casecmp(DEFAULT_VALUE) == 0
+        raise XDOConfigError.new("Value can only be nil or 'noopen'")
       end
     end
   end

data/lib/secure_headers/headers/x_frame_options.rb

@@ -10,22 +10,20 @@ module SecureHeaders
     DEFAULT_VALUE = SAMEORIGIN
     VALID_XFO_HEADER = /\A(#{SAMEORIGIN}\z|#{DENY}\z|#{ALLOW_ALL}\z|#{ALLOW_FROM}[:\s])/i
 
-    class << self
-      # Public: generate an X-Frame-Options header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an X-Frame-Options header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless config =~ VALID_XFO_HEADER
-          raise XFOConfigError.new("Value must be SAMEORIGIN|DENY|ALLOW-FROM:|ALLOWALL")
-        end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      unless config =~ VALID_XFO_HEADER
+        raise XFOConfigError.new("Value must be SAMEORIGIN|DENY|ALLOW-FROM:|ALLOWALL")
       end
     end
   end

data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb

@@ -6,22 +6,20 @@ module SecureHeaders
     DEFAULT_VALUE = "none"
     VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
 
-    class << self
-      # Public: generate an x-permitted-cross-domain-policies header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an x-permitted-cross-domain-policies header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless VALID_POLICIES.include?(config.downcase)
-          raise XPCDPConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
-        end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      unless VALID_POLICIES.include?(config.downcase)
+        raise XPCDPConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
       end
     end
   end

data/lib/secure_headers/headers/x_xss_protection.rb

@@ -6,21 +6,19 @@ module SecureHeaders
     DEFAULT_VALUE = "0".freeze
     VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
 
-    class << self
-      # Public: generate an X-Xss-Protection header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an X-Xss-Protection header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        raise XXssProtectionConfigError.new("Invalid format (see VALID_X_XSS_HEADER)") unless config.to_s =~ VALID_X_XSS_HEADER
-      end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      raise XXssProtectionConfigError.new("Invalid format (see VALID_X_XSS_HEADER)") unless config.to_s =~ VALID_X_XSS_HEADER
     end
   end
 end

data/lib/secure_headers/middleware.rb

@@ -10,6 +10,12 @@ module SecureHeaders
       req = Rack::Request.new(env)
       status, headers, response = @app.call(env)
 
+      # Rack::Headers is available in Rack 3.x and later
+      # So we should pull the headers into that structure if possible
+      if defined?(Rack::Headers)
+        headers = Rack::Headers[headers]
+      end
+
       config = SecureHeaders.config_for(req)
       flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
       headers.merge!(SecureHeaders.header_hash_for(req))
@@ -20,14 +26,12 @@ module SecureHeaders
 
     # inspired by https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194
     def flag_cookies!(headers, config)
-      if cookies = headers["Set-Cookie"]
-        # Support Rails 2.3 / Rack 1.1 arrays as headers
-        cookies = cookies.split("\n") unless cookies.is_a?(Array)
+      cookies = headers["Set-Cookie"]
+      return unless cookies
 
-        headers["Set-Cookie"] = cookies.map do |cookie|
-          SecureHeaders::Cookie.new(cookie, config).to_s
-        end.join("\n")
-      end
+      cookies_array = cookies.is_a?(Array) ? cookies : cookies.split("\n")
+      secured_cookies = cookies_array.map { |cookie| SecureHeaders::Cookie.new(cookie, config).to_s }
+      headers["Set-Cookie"] = cookies.is_a?(Array) ? secured_cookies : secured_cookies.join("\n")
     end
 
     # disable Secure cookies for non-https requests

data/lib/secure_headers/railtie.rb

@@ -22,9 +22,12 @@ if defined?(Rails::Railtie)
         ActiveSupport.on_load(:action_controller) do
           include SecureHeaders
 
-          unless Rails.application.config.action_dispatch.default_headers.nil?
-            conflicting_headers.each do |header|
-              Rails.application.config.action_dispatch.default_headers.delete(header)
+          default_headers = Rails.application.config.action_dispatch.default_headers
+          unless default_headers.nil?
+            default_headers.each_key do |header|
+              if conflicting_headers.include?(header.downcase)
+                default_headers.delete(header)
+              end
             end
           end
         end

data/lib/secure_headers/task_helper.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module SecureHeaders
+  module TaskHelper
+    include SecureHeaders::HashHelper
+
+    INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx
+    INLINE_STYLE_REGEX = /(<style[^>]*>)(.*?)<\/style>/mx
+    INLINE_HASH_SCRIPT_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
+    INLINE_HASH_STYLE_HELPER_REGEX = /<%=\s?hashed_style_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
+
+    def generate_inline_script_hashes(filename)
+      hashes = []
+
+      hashes.concat find_inline_content(filename, INLINE_SCRIPT_REGEX, false)
+      hashes.concat find_inline_content(filename, INLINE_HASH_SCRIPT_HELPER_REGEX, true)
+
+      hashes
+    end
+
+    def generate_inline_style_hashes(filename)
+      hashes = []
+
+      hashes.concat find_inline_content(filename, INLINE_STYLE_REGEX, false)
+      hashes.concat find_inline_content(filename, INLINE_HASH_STYLE_HELPER_REGEX, true)
+
+      hashes
+    end
+
+    def dynamic_content?(filename, inline_script)
+      !!(
+        (is_mustache?(filename) && inline_script =~ /\{\{.*\}\}/) ||
+        (is_erb?(filename) && inline_script =~ /<%.*%>/)
+        )
+    end
+
+    private
+
+    def find_inline_content(filename, regex, strip_trailing_whitespace)
+      hashes = []
+      file = File.read(filename)
+      file.scan(regex) do # TODO don't use gsub
+        inline_script = Regexp.last_match.captures.last
+        inline_script.gsub!(/(\r?\n)[\t ]+\z/, '\1') if strip_trailing_whitespace
+        if dynamic_content?(filename, inline_script)
+          puts "Looks like there's some dynamic content inside of a tag :-/"
+          puts "That pretty much means the hash value will never match."
+          puts "Code: " + inline_script
+          puts "=" * 20
+        end
+
+        hashes << hash_source(inline_script)
+      end
+      hashes
+    end
+
+    def is_erb?(filename)
+      filename =~ /\.erb\Z/
+    end
+
+    def is_mustache?(filename)
+      filename =~ /\.mustache\Z/
+    end
+  end
+end

data/lib/secure_headers/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SecureHeaders
-  VERSION = "7.1.0"
+  VERSION = "7.2.0"
 end

data/lib/secure_headers.rb

@@ -11,6 +11,7 @@ require "secure_headers/headers/x_permitted_cross_domain_policies"
 require "secure_headers/headers/referrer_policy"
 require "secure_headers/headers/clear_site_data"
 require "secure_headers/headers/expect_certificate_transparency"
+require "secure_headers/headers/reporting_endpoints"
 require "secure_headers/middleware"
 require "secure_headers/railtie"
 require "secure_headers/view_helper"
@@ -133,6 +134,7 @@ module SecureHeaders
     # request.
     #
     # StrictTransportSecurity is not applied to http requests.
+    # upgrade_insecure_requests is not applied to http requests.
     # See #config_for to determine which config is used for a given request.
     #
     # Returns a hash of header names => header values. The value
@@ -146,6 +148,11 @@ module SecureHeaders
 
       if request.scheme != HTTPS
         headers.delete(StrictTransportSecurity::HEADER_NAME)
+
+        # Remove upgrade_insecure_requests from CSP headers for HTTP requests
+        # as it doesn't make sense to upgrade requests when the page itself is served over HTTP
+        remove_upgrade_insecure_requests_from_csp!(headers, config.csp)
+        remove_upgrade_insecure_requests_from_csp!(headers, config.csp_report_only)
       end
       headers
     end
@@ -178,7 +185,7 @@ module SecureHeaders
       content_security_policy_nonce(request, ContentSecurityPolicy::STYLE_SRC)
     end
 
-    # Public: Retreives the config for a given header type:
+    # Public: Retrieves the config for a given header type:
     #
     # Checks to see if there is an override for this request, then
     # Checks to see if a named override is used for this request, then
@@ -208,7 +215,7 @@ module SecureHeaders
 
     def config_and_target(request, target)
       config = config_for(request)
-      target = guess_target(config) unless target
+      target ||= guess_target(config)
       raise_on_unknown_target(target)
       [config, target]
     end
@@ -242,6 +249,23 @@ module SecureHeaders
     def override_secure_headers_request_config(request, config)
       request.env[SECURE_HEADERS_CONFIG] = config
     end
+
+    # Private: removes upgrade_insecure_requests directive from a CSP config
+    # if it's present, and updates the headers hash with the modified CSP.
+    #
+    # headers - the headers hash to update
+    # csp_config - the CSP config to check and potentially modify
+    #
+    # Returns nothing (modifies headers in place)
+    def remove_upgrade_insecure_requests_from_csp!(headers, csp_config)
+      return if csp_config.opt_out?
+      return unless csp_config.directive_value(ContentSecurityPolicy::UPGRADE_INSECURE_REQUESTS)
+
+      modified_config = csp_config.dup
+      modified_config.update_directive(ContentSecurityPolicy::UPGRADE_INSECURE_REQUESTS, false)
+      header_name, value = ContentSecurityPolicy.make_header(modified_config)
+      headers[header_name] = value if header_name && value
+    end
   end
 
   # These methods are mixed into controllers and delegate to the class method

data/lib/tasks/tasks.rake

@@ -1,58 +1,8 @@
 # frozen_string_literal: true
-INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx unless defined? INLINE_SCRIPT_REGEX
-INLINE_STYLE_REGEX = /(<style[^>]*>)(.*?)<\/style>/mx unless defined? INLINE_STYLE_REGEX
-INLINE_HASH_SCRIPT_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx unless defined? INLINE_HASH_SCRIPT_HELPER_REGEX
-INLINE_HASH_STYLE_HELPER_REGEX = /<%=\s?hashed_style_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx unless defined? INLINE_HASH_STYLE_HELPER_REGEX
+require "secure_headers/task_helper"
 
 namespace :secure_headers do
-  include SecureHeaders::HashHelper
-
-  def is_erb?(filename)
-    filename =~ /\.erb\Z/
-  end
-
-  def is_mustache?(filename)
-    filename =~ /\.mustache\Z/
-  end
-
-  def dynamic_content?(filename, inline_script)
-    (is_mustache?(filename) && inline_script =~ /\{\{.*\}\}/) ||
-      (is_erb?(filename) && inline_script =~ /<%.*%>/)
-  end
-
-  def find_inline_content(filename, regex, hashes, strip_trailing_whitespace)
-    file = File.read(filename)
-    file.scan(regex) do # TODO don't use gsub
-      inline_script = Regexp.last_match.captures.last
-      inline_script.gsub!(/(\r?\n)[\t ]+\z/, '\1') if strip_trailing_whitespace
-      if dynamic_content?(filename, inline_script)
-        puts "Looks like there's some dynamic content inside of a tag :-/"
-        puts "That pretty much means the hash value will never match."
-        puts "Code: " + inline_script
-        puts "=" * 20
-      end
-
-      hashes << hash_source(inline_script)
-    end
-  end
-
-  def generate_inline_script_hashes(filename)
-    hashes = []
-
-    find_inline_content(filename, INLINE_SCRIPT_REGEX, hashes, false)
-    find_inline_content(filename, INLINE_HASH_SCRIPT_HELPER_REGEX, hashes, true)
-
-    hashes
-  end
-
-  def generate_inline_style_hashes(filename)
-    hashes = []
-
-    find_inline_content(filename, INLINE_STYLE_REGEX, hashes, false)
-    find_inline_content(filename, INLINE_HASH_STYLE_HELPER_REGEX, hashes, true)
-
-    hashes
-  end
+  include SecureHeaders::TaskHelper
 
   desc "Generate #{SecureHeaders::Configuration::HASH_CONFIG_FILE}"
   task :generate_hashes do |t, args|
@@ -77,6 +27,7 @@ namespace :secure_headers do
       file.write(script_hashes.to_yaml)
     end
 
-    puts "Script hashes from " + script_hashes.keys.size.to_s + " files added to #{SecureHeaders::Configuration::HASH_CONFIG_FILE}"
+    file_count = (script_hashes["scripts"].keys + script_hashes["styles"].keys).uniq.count
+    puts "Script and style hashes from #{file_count} files added to #{SecureHeaders::Configuration::HASH_CONFIG_FILE}"
   end
 end

data/secure_headers.gemspec

@@ -29,5 +29,7 @@ Gem::Specification.new do |gem|
 
   gem.extra_rdoc_files = Dir["README.md", "CHANGELOG.md", "LICENSE"]
 
+  gem.add_dependency "cgi", ">= 0.1"
+
   gem.add_development_dependency "rake"
 end

metadata

@@ -1,15 +1,28 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 7.1.0
+  version: 7.2.0
 platform: ruby
 authors:
 - Neil Matatall
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-12-16 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: cgi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -33,9 +46,9 @@ email:
 executables: []
 extensions: []
 extra_rdoc_files:
-- README.md
 - CHANGELOG.md
 - LICENSE
+- README.md
 files:
 - CHANGELOG.md
 - Gemfile
@@ -51,6 +64,7 @@ files:
 - lib/secure_headers/headers/expect_certificate_transparency.rb
 - lib/secure_headers/headers/policy_management.rb
 - lib/secure_headers/headers/referrer_policy.rb
+- lib/secure_headers/headers/reporting_endpoints.rb
 - lib/secure_headers/headers/strict_transport_security.rb
 - lib/secure_headers/headers/x_content_type_options.rb
 - lib/secure_headers/headers/x_download_options.rb
@@ -59,6 +73,7 @@ files:
 - lib/secure_headers/headers/x_xss_protection.rb
 - lib/secure_headers/middleware.rb
 - lib/secure_headers/railtie.rb
+- lib/secure_headers/task_helper.rb
 - lib/secure_headers/utils/cookies_config.rb
 - lib/secure_headers/version.rb
 - lib/secure_headers/view_helper.rb
@@ -74,7 +89,6 @@ metadata:
   homepage_uri: https://github.com/github/secure_headers
   source_code_uri: https://github.com/github/secure_headers
   rubygems_mfa_required: 'true'
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -89,8 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Manages application of security headers with many safe defaults.
 test_files: []