secure_headers 0.1.0

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rvmrc

@@ -0,0 +1 @@
+rvm use 1.9.3@secureheaders --create

data/.travis.yml

@@ -0,0 +1,5 @@
+rvm:
+  - "1.9.3"
+  - jruby-19mode
+  - jruby-18mode
+  - "1.8.7"

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+gemspec
+
+group :test do
+  gem 'guard-spork'
+  gem 'guard-rspec'
+  gem 'growl'
+  gem 'rb-fsevent'
+  gem 'simplecov'
+  gem 'debugger', :platform => :ruby_19
+  gem 'ruby-debug', :platform => :ruby_18
+end

data/Guardfile

@@ -0,0 +1,10 @@
+guard 'spork', :rspec_env => { 'RAILS_ENV' => 'test' } do
+  watch('spec/spec_helper.rb') { :rspec }
+end
+
+guard 'rspec', :cli => "--color --drb", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch(%r{^app/controllers/(.+)\.rb$})     { |m| "spec/controllers/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+end

data/HISTORY.md

@@ -0,0 +1,22 @@
+0.1.0
+=======
+
+Notes:
+------
+
+- Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
+
+Features:
+------
+
+- ability to apply two headers, one in enforce mode, on in "experimental" mode https://github.com/twitter/secureheaders/pull/11
+- Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
+
+Bug fixes, misc:
+------
+
+- Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
+- Better support for other frameworks, including docs from @achui, @bmaland
+- Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
+- data: automatically whitelisted for img-src
+- Doc updates from @ming13, @theverything, @dcollazo

data/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2011 Julio Capote, Christopher Burnett
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,318 @@
+# SecureHeaders [![Build Status](https://travis-ci.org/twitter/secureheaders.png?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/twitter/secureheaders)
+
+The gem will automatically apply several headers that are related to security.  This includes:
+- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 1.1 Specification](https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
+- HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks.  [HSTS Specification](https://tools.ietf.org/html/rfc6797)
+- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00)
+- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
+- X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
+
+This gem has integration with Rails, but works for any Ruby code. See the sinatra example section.
+
+## Installation
+
+Add to your Gemfile
+
+```ruby
+gem 'secure_headers'
+```
+
+And then execute:
+
+```console
+$ bundle
+```
+
+Or install it yourself as:
+
+```console
+$ gem install secure_headers
+```
+
+## Usage
+
+Functionality provided
+
+- `ensure_security_headers`: will set security-related headers automatically based on the configuration below.
+
+By default, it will set all of the headers listed in the options section below unless specified.
+
+### Automagic
+
+This gem makes a few assumptions about how you will use some features.  For example:
+
+* It adds 'chrome-extension:' to your CSP directives by default.  This helps drastically reduce the amount of reports, but you can also disable this feature by supplying :disable_chrome_extension => true.
+* It fills any blank directives with the value in :default_src  Getting a default\-src report is pretty useless.  This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true.
+* It copies the connect\-src value to xhr\-src for AJAX requests.
+* Mozilla does not support cross\-origin CSP reports.  If we are using Mozilla, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`).  This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :report_uri without restriction. More information can be found in the "Note on Mozilla handling of CSP" section.
+
+
+## Configuration
+
+**Place the following in an initializer (recommended):**
+
+```ruby
+::SecureHeaders::Configuration.configure do |config|
+  config.hsts = {:max_age => 99, :include_subdomains => true}
+  config.x_frame_options = 'DENY'
+  config.x_content_type_options = "nosniff"
+  config.x_xss_protection = {:value => '1', :mode => false}
+  config.csp = {
+    :default_src => "https://* inline eval",
+    # ALWAYS supply a full URL for report URIs
+    :report_uri => 'https://example.com/uri-directive',
+    :img_src => "https://* data:",
+    :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
+  }
+end
+
+# and then simply include
+ensure_security_headers
+```
+
+Or simply add it to application controller (not recommended, currently a bug)
+
+```ruby
+ensure_security_headers
+  :hsts => {:include_subdomains, :x_frame_options => false},
+  :x_frame_options => 'DENY',
+  :csp => false
+```
+
+## Options for ensure\_security\_headers
+
+**To disable any of these headers, supply a value of false (e.g. :hsts => false), supplying nil will set the default value**
+
+Each header configuration can take a hash, or a string, or both. If a string
+is provided, that value is inserted verbatim.  If a hash is supplied, a
+header will be constructed using the supplied options.
+
+### Widely supported
+
+```ruby
+:hsts             => {:max_age => 631138519, :include_subdomain => true}
+:x_frame_options  => {:value => 'SAMEORIGIN'}
+:x_xss_protection => {:value => '1', :mode => false}  # set the :mode option to 'block' to enforce the browser's xss filter
+```
+
+### Content Security Policy (CSP)
+
+All browsers will receive the webkit csp header except Mozilla, which gets its own header.
+See [WebKit specification](http://www.w3.org/TR/CSP/)
+and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specification)
+
+```ruby
+:csp => {
+  :enforce     => false,        # sets header to report-only, by default
+  # default_src is required!
+  :default_src     => nil,      # sets the default-src/allow+options directives
+
+  # Where reports are sent. Use full URLs.
+  :report_uri  => 'https://mylogaggregator.example.com',
+
+  # Send reports that cannot be sent across host here. These requests are sent
+  # the server, not the browser. If no value is supplied, it will default to
+  # the value in report_uri.
+  :forward_endpoint => 'https://internal.mylogaggregator.example.com'
+
+  # these directives all take 'none', 'self', or a globbed pattern
+  :img_src     => nil,
+  :frame_src   => nil,
+  :connect_src => nil,
+  :font_src    => nil,
+  :media_src   => nil,
+  :object_src  => nil,
+  :style_src   => nil,
+  :script_src  => nil,
+
+  # http additions will be appended to the various directives when
+  # over http, relaxing the policy
+  # e.g.
+  # :csp => {
+  #   :img_src => 'https://*',
+  #   :http_additions => {:img_src => 'http//*'}
+  # }
+  # would produce the directive: "img-src https://* http://*;"
+  # when over http, ignored for https requests
+  :http_additions => {}
+
+  # If you have enforce => true, you can use the `experiments` block to
+  # also produce a report-only header. Values in this block override the
+  # parent config for the report-only, and leave the enforcing header
+  # unaltered. http_additions work the same way described above, but
+  # are added to your report-only header as expected.
+  :experimental => {
+    :script_src => 'self',
+    :img_src => 'https://mycdn.example.com',
+    :http_additions {
+      :img_src => 'http://mycdn.example.com'
+    }
+  }
+}
+```
+
+### Only applied to IE
+
+```ruby
+:x_content_type_options => {:value => 'nosniff'}
+```
+
+### Example CSP header config
+
+**Configure the CSP header as if it were the webkit-style header, no need to supply 'options' or 'allow' directives.**
+
+```ruby
+# most basic example
+:csp => {
+  :default_src => "https://* inline eval",
+  :report_uri => '/uri-directive'
+}
+# Chrome
+> "default-src 'unsafe-inline' 'unsafe-eval' https://* chrome-extension:; report-uri /uri-directive;"
+# Mozilla
+> "options inline-script eval-script; allow https://*; report-uri /uri-directive;"
+
+# turn off inline scripting/eval
+:csp => {
+  :default_src => 'https://*',
+  :report_uri => '/uri-directive'
+}
+# Chrome
+> "default-src  https://*; report-uri /uri-directive;"
+# Mozilla
+> "allow https://*; report-uri /uri-directive;"
+
+# Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
+:csp => {
+  :default_src => 'self',
+  :img_src => '*',
+  :object_src => ['media1.com', 'media2.com', '*.cdn.com'],
+  # alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com'
+  :script_src => 'trustedscripts.example.com'
+}
+# Chrome
+"default-src  'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
+# Mozilla
+"allow 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
+```
+
+## Note on Mozilla handling of CSP
+
+Currently, Mozilla does not support the w3c draft standard.  So there are a few steps taken to make the two interchangeable.
+
+Mozilla > 18 partially supports the standard via using the default\-src directive over allow/options, but the following inconsistencies remain.
+
+* inline\-script or eval\-script values in default/style/script\-src directives are moved to the options directive. Note: the style\-src directive is not fully supported in Mozilla \- see https://bugzilla.mozilla.org/show_bug.cgi?id=763879.
+* CSP reports will not POST cross\-origin.  This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint`
+* Mozilla adds port numbers to each /https?/ value which can make local development tricky with mocked services. Add environment specific code to configure this.
+
+### Adding the Mozilla report forwarding endpoint
+
+**You need to add the following line to the TOP of confib/routes.rb**
+**This is an unauthenticated, unauthorized endpoint. Only do this if your report\-uri is not on the same origin as your application!!!**
+
+#### Rails 2
+
+```ruby
+map.csp_endpoint
+```
+
+#### Rails 3
+
+If the csp reporting endpoint is clobbered by another route, add:
+
+```ruby
+post SecureHeaders::ContentSecurityPolicy::FF_CSP_ENDPOINT => "content_security_policy#scribe"
+```
+### Using with Sinatra
+
+Here's an example using SecureHeaders for Sinatra applications:
+
+```ruby
+require 'rubygems'
+require 'sinatra'
+require 'haml'
+require 'secure_headers'
+
+::SecureHeaders::Configuration.configure do |config|
+  config.hsts = {:max_age => 99, :include_subdomains => true}
+  config.x_frame_options = 'DENY'
+  config.x_content_type_options = "nosniff"
+  config.x_xss_protection = {:value => '1', :mode => false}
+  config.csp = {
+    :default_src => "https://* inline eval",
+    # ALWAYS supply a full URL for report URIs
+    :report_uri => 'https://example.com/uri-directive',
+    :img_src => "https://* data:",
+    :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
+  }
+end
+
+class Donkey < Sinatra::Application
+  include SecureHeaders
+  set :root, APP_ROOT
+
+  get '/' do
+    set_csp_header(request, nil)
+    haml :index
+  end
+end
+```
+
+### Using with Padrino
+
+You can use SecureHeaders for Padrino applications as well:
+
+In your `Gemfile`:
+
+```ruby
+  gem "secure_headers", :require => 'secure_headers'
+```
+
+then in your `app.rb` file you can:
+
+```ruby
+module Web
+  class App < Padrino::Application
+    include SecureHeaders
+
+    ::SecureHeaders::Configuration.configure do |config|
+      config.hsts                   = {:max_age => 99, :include_subdomains => true}
+      config.x_frame_options        = 'DENY'
+      config.x_content_type_options = "nosniff"
+      config.x_xss_protection       = {:value   => '1', :mode => false}
+      config.csp                    = {
+        :default_src => "https://* inline eval",
+        # ALWAYS supply a full URL for report URIs
+        :report_uri => 'https://example.com/uri-directive',
+        :img_src => "https://* data:",
+        :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
+      }
+    end
+
+    get '/' do
+      set_csp_header(request, nil)
+      render 'index'
+    end
+  end
+end
+```
+
+
+## Authors
+
+* Neil Matatall [@ndm](https://twitter.com/ndm) - primary author.
+* Nicholas Green [@nickgreen](https://twitter.com/nickgreen) - code contributions, main reviewer.
+
+## Acknowledgements
+
+* Justin Collins [@presidentbeef](https://twitter.com/presidentbeef) & Jim O'Leary [@jimio](https://twitter.com/jimio) for reviews.
+* Ian Melven [@imelven](https://twitter.com/imelven) - Discussions/info about CSP in general, made us aware of the [userCSP](https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/) Mozilla extension.
+* Sumit Shah [@omnidactyl](https://twitter.com/omnidactyl) - For being an eager guinea pig.
+* Chris Aniszczyk [@cra](https://twitter.com/cra) - For running an awesome open source program at Twitter.
+
+## License
+
+Copyright 2013 Twitter, Inc.
+
+Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0