secure_headers 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- data/.gitignore +17 -0
- data/.rvmrc +1 -0
- data/.travis.yml +5 -0
- data/Gemfile +13 -0
- data/Guardfile +10 -0
- data/HISTORY.md +22 -0
- data/LICENSE +202 -0
- data/README.md +318 -0
- data/Rakefile +127 -0
- data/app/controllers/content_security_policy_controller.rb +44 -0
- data/config/curl-ca-bundle.crt +5420 -0
- data/config/routes.rb +3 -0
- data/lib/secure_headers.rb +115 -0
- data/lib/secure_headers/headers/content_security_policy.rb +300 -0
- data/lib/secure_headers/headers/strict_transport_security.rb +53 -0
- data/lib/secure_headers/headers/x_content_type_options.rb +40 -0
- data/lib/secure_headers/headers/x_frame_options.rb +40 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +54 -0
- data/lib/secure_headers/railtie.rb +37 -0
- data/lib/secure_headers/version.rb +3 -0
- data/secure-headers.gemspec +23 -0
- data/spec/controllers/content_security_policy_controller_spec.rb +74 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +382 -0
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +66 -0
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +35 -0
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +38 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +41 -0
- data/spec/lib/secure_headers_spec.rb +252 -0
- data/spec/spec_helper.rb +25 -0
- metadata +116 -0
data/.gitignore
ADDED
data/.rvmrc
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
rvm use 1.9.3@secureheaders --create
|
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/Guardfile
ADDED
@@ -0,0 +1,10 @@
|
|
1
|
+
guard 'spork', :rspec_env => { 'RAILS_ENV' => 'test' } do
|
2
|
+
watch('spec/spec_helper.rb') { :rspec }
|
3
|
+
end
|
4
|
+
|
5
|
+
guard 'rspec', :cli => "--color --drb", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
|
6
|
+
watch(%r{^spec/.+_spec\.rb$})
|
7
|
+
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
8
|
+
watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
|
9
|
+
watch('spec/spec_helper.rb') { "spec" }
|
10
|
+
end
|
data/HISTORY.md
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
0.1.0
|
2
|
+
=======
|
3
|
+
|
4
|
+
Notes:
|
5
|
+
------
|
6
|
+
|
7
|
+
- Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
|
8
|
+
|
9
|
+
Features:
|
10
|
+
------
|
11
|
+
|
12
|
+
- ability to apply two headers, one in enforce mode, on in "experimental" mode https://github.com/twitter/secureheaders/pull/11
|
13
|
+
- Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
|
14
|
+
|
15
|
+
Bug fixes, misc:
|
16
|
+
------
|
17
|
+
|
18
|
+
- Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
|
19
|
+
- Better support for other frameworks, including docs from @achui, @bmaland
|
20
|
+
- Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
|
21
|
+
- data: automatically whitelisted for img-src
|
22
|
+
- Doc updates from @ming13, @theverything, @dcollazo
|
data/LICENSE
ADDED
@@ -0,0 +1,202 @@
|
|
1
|
+
|
2
|
+
Apache License
|
3
|
+
Version 2.0, January 2004
|
4
|
+
http://www.apache.org/licenses/
|
5
|
+
|
6
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
7
|
+
|
8
|
+
1. Definitions.
|
9
|
+
|
10
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
11
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
12
|
+
|
13
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
14
|
+
the copyright owner that is granting the License.
|
15
|
+
|
16
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
17
|
+
other entities that control, are controlled by, or are under common
|
18
|
+
control with that entity. For the purposes of this definition,
|
19
|
+
"control" means (i) the power, direct or indirect, to cause the
|
20
|
+
direction or management of such entity, whether by contract or
|
21
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
22
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
23
|
+
|
24
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
25
|
+
exercising permissions granted by this License.
|
26
|
+
|
27
|
+
"Source" form shall mean the preferred form for making modifications,
|
28
|
+
including but not limited to software source code, documentation
|
29
|
+
source, and configuration files.
|
30
|
+
|
31
|
+
"Object" form shall mean any form resulting from mechanical
|
32
|
+
transformation or translation of a Source form, including but
|
33
|
+
not limited to compiled object code, generated documentation,
|
34
|
+
and conversions to other media types.
|
35
|
+
|
36
|
+
"Work" shall mean the work of authorship, whether in Source or
|
37
|
+
Object form, made available under the License, as indicated by a
|
38
|
+
copyright notice that is included in or attached to the work
|
39
|
+
(an example is provided in the Appendix below).
|
40
|
+
|
41
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
42
|
+
form, that is based on (or derived from) the Work and for which the
|
43
|
+
editorial revisions, annotations, elaborations, or other modifications
|
44
|
+
represent, as a whole, an original work of authorship. For the purposes
|
45
|
+
of this License, Derivative Works shall not include works that remain
|
46
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
47
|
+
the Work and Derivative Works thereof.
|
48
|
+
|
49
|
+
"Contribution" shall mean any work of authorship, including
|
50
|
+
the original version of the Work and any modifications or additions
|
51
|
+
to that Work or Derivative Works thereof, that is intentionally
|
52
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
53
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
54
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
55
|
+
means any form of electronic, verbal, or written communication sent
|
56
|
+
to the Licensor or its representatives, including but not limited to
|
57
|
+
communication on electronic mailing lists, source code control systems,
|
58
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
59
|
+
Licensor for the purpose of discussing and improving the Work, but
|
60
|
+
excluding communication that is conspicuously marked or otherwise
|
61
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
62
|
+
|
63
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
64
|
+
on behalf of whom a Contribution has been received by Licensor and
|
65
|
+
subsequently incorporated within the Work.
|
66
|
+
|
67
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
68
|
+
this License, each Contributor hereby grants to You a perpetual,
|
69
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
70
|
+
copyright license to reproduce, prepare Derivative Works of,
|
71
|
+
publicly display, publicly perform, sublicense, and distribute the
|
72
|
+
Work and such Derivative Works in Source or Object form.
|
73
|
+
|
74
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
75
|
+
this License, each Contributor hereby grants to You a perpetual,
|
76
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
77
|
+
(except as stated in this section) patent license to make, have made,
|
78
|
+
use, offer to sell, sell, import, and otherwise transfer the Work,
|
79
|
+
where such license applies only to those patent claims licensable
|
80
|
+
by such Contributor that are necessarily infringed by their
|
81
|
+
Contribution(s) alone or by combination of their Contribution(s)
|
82
|
+
with the Work to which such Contribution(s) was submitted. If You
|
83
|
+
institute patent litigation against any entity (including a
|
84
|
+
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
85
|
+
or a Contribution incorporated within the Work constitutes direct
|
86
|
+
or contributory patent infringement, then any patent licenses
|
87
|
+
granted to You under this License for that Work shall terminate
|
88
|
+
as of the date such litigation is filed.
|
89
|
+
|
90
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
91
|
+
Work or Derivative Works thereof in any medium, with or without
|
92
|
+
modifications, and in Source or Object form, provided that You
|
93
|
+
meet the following conditions:
|
94
|
+
|
95
|
+
(a) You must give any other recipients of the Work or
|
96
|
+
Derivative Works a copy of this License; and
|
97
|
+
|
98
|
+
(b) You must cause any modified files to carry prominent notices
|
99
|
+
stating that You changed the files; and
|
100
|
+
|
101
|
+
(c) You must retain, in the Source form of any Derivative Works
|
102
|
+
that You distribute, all copyright, patent, trademark, and
|
103
|
+
attribution notices from the Source form of the Work,
|
104
|
+
excluding those notices that do not pertain to any part of
|
105
|
+
the Derivative Works; and
|
106
|
+
|
107
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
108
|
+
distribution, then any Derivative Works that You distribute must
|
109
|
+
include a readable copy of the attribution notices contained
|
110
|
+
within such NOTICE file, excluding those notices that do not
|
111
|
+
pertain to any part of the Derivative Works, in at least one
|
112
|
+
of the following places: within a NOTICE text file distributed
|
113
|
+
as part of the Derivative Works; within the Source form or
|
114
|
+
documentation, if provided along with the Derivative Works; or,
|
115
|
+
within a display generated by the Derivative Works, if and
|
116
|
+
wherever such third-party notices normally appear. The contents
|
117
|
+
of the NOTICE file are for informational purposes only and
|
118
|
+
do not modify the License. You may add Your own attribution
|
119
|
+
notices within Derivative Works that You distribute, alongside
|
120
|
+
or as an addendum to the NOTICE text from the Work, provided
|
121
|
+
that such additional attribution notices cannot be construed
|
122
|
+
as modifying the License.
|
123
|
+
|
124
|
+
You may add Your own copyright statement to Your modifications and
|
125
|
+
may provide additional or different license terms and conditions
|
126
|
+
for use, reproduction, or distribution of Your modifications, or
|
127
|
+
for any such Derivative Works as a whole, provided Your use,
|
128
|
+
reproduction, and distribution of the Work otherwise complies with
|
129
|
+
the conditions stated in this License.
|
130
|
+
|
131
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
132
|
+
any Contribution intentionally submitted for inclusion in the Work
|
133
|
+
by You to the Licensor shall be under the terms and conditions of
|
134
|
+
this License, without any additional terms or conditions.
|
135
|
+
Notwithstanding the above, nothing herein shall supersede or modify
|
136
|
+
the terms of any separate license agreement you may have executed
|
137
|
+
with Licensor regarding such Contributions.
|
138
|
+
|
139
|
+
6. Trademarks. This License does not grant permission to use the trade
|
140
|
+
names, trademarks, service marks, or product names of the Licensor,
|
141
|
+
except as required for reasonable and customary use in describing the
|
142
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
143
|
+
|
144
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
145
|
+
agreed to in writing, Licensor provides the Work (and each
|
146
|
+
Contributor provides its Contributions) on an "AS IS" BASIS,
|
147
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
148
|
+
implied, including, without limitation, any warranties or conditions
|
149
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
150
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
151
|
+
appropriateness of using or redistributing the Work and assume any
|
152
|
+
risks associated with Your exercise of permissions under this License.
|
153
|
+
|
154
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
155
|
+
whether in tort (including negligence), contract, or otherwise,
|
156
|
+
unless required by applicable law (such as deliberate and grossly
|
157
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
158
|
+
liable to You for damages, including any direct, indirect, special,
|
159
|
+
incidental, or consequential damages of any character arising as a
|
160
|
+
result of this License or out of the use or inability to use the
|
161
|
+
Work (including but not limited to damages for loss of goodwill,
|
162
|
+
work stoppage, computer failure or malfunction, or any and all
|
163
|
+
other commercial damages or losses), even if such Contributor
|
164
|
+
has been advised of the possibility of such damages.
|
165
|
+
|
166
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
167
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
168
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
169
|
+
or other liability obligations and/or rights consistent with this
|
170
|
+
License. However, in accepting such obligations, You may act only
|
171
|
+
on Your own behalf and on Your sole responsibility, not on behalf
|
172
|
+
of any other Contributor, and only if You agree to indemnify,
|
173
|
+
defend, and hold each Contributor harmless for any liability
|
174
|
+
incurred by, or claims asserted against, such Contributor by reason
|
175
|
+
of your accepting any such warranty or additional liability.
|
176
|
+
|
177
|
+
END OF TERMS AND CONDITIONS
|
178
|
+
|
179
|
+
APPENDIX: How to apply the Apache License to your work.
|
180
|
+
|
181
|
+
To apply the Apache License to your work, attach the following
|
182
|
+
boilerplate notice, with the fields enclosed by brackets "[]"
|
183
|
+
replaced with your own identifying information. (Don't include
|
184
|
+
the brackets!) The text should be enclosed in the appropriate
|
185
|
+
comment syntax for the file format. We also recommend that a
|
186
|
+
file or class name and description of purpose be included on the
|
187
|
+
same "printed page" as the copyright notice for easier
|
188
|
+
identification within third-party archives.
|
189
|
+
|
190
|
+
Copyright 2011 Julio Capote, Christopher Burnett
|
191
|
+
|
192
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
193
|
+
you may not use this file except in compliance with the License.
|
194
|
+
You may obtain a copy of the License at
|
195
|
+
|
196
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
197
|
+
|
198
|
+
Unless required by applicable law or agreed to in writing, software
|
199
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
200
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
201
|
+
See the License for the specific language governing permissions and
|
202
|
+
limitations under the License.
|
data/README.md
ADDED
@@ -0,0 +1,318 @@
|
|
1
|
+
# SecureHeaders [![Build Status](https://travis-ci.org/twitter/secureheaders.png?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/twitter/secureheaders)
|
2
|
+
|
3
|
+
The gem will automatically apply several headers that are related to security. This includes:
|
4
|
+
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 1.1 Specification](https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
|
5
|
+
- HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. [HSTS Specification](https://tools.ietf.org/html/rfc6797)
|
6
|
+
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00)
|
7
|
+
- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
|
8
|
+
- X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
|
9
|
+
|
10
|
+
This gem has integration with Rails, but works for any Ruby code. See the sinatra example section.
|
11
|
+
|
12
|
+
## Installation
|
13
|
+
|
14
|
+
Add to your Gemfile
|
15
|
+
|
16
|
+
```ruby
|
17
|
+
gem 'secure_headers'
|
18
|
+
```
|
19
|
+
|
20
|
+
And then execute:
|
21
|
+
|
22
|
+
```console
|
23
|
+
$ bundle
|
24
|
+
```
|
25
|
+
|
26
|
+
Or install it yourself as:
|
27
|
+
|
28
|
+
```console
|
29
|
+
$ gem install secure_headers
|
30
|
+
```
|
31
|
+
|
32
|
+
## Usage
|
33
|
+
|
34
|
+
Functionality provided
|
35
|
+
|
36
|
+
- `ensure_security_headers`: will set security-related headers automatically based on the configuration below.
|
37
|
+
|
38
|
+
By default, it will set all of the headers listed in the options section below unless specified.
|
39
|
+
|
40
|
+
### Automagic
|
41
|
+
|
42
|
+
This gem makes a few assumptions about how you will use some features. For example:
|
43
|
+
|
44
|
+
* It adds 'chrome-extension:' to your CSP directives by default. This helps drastically reduce the amount of reports, but you can also disable this feature by supplying :disable_chrome_extension => true.
|
45
|
+
* It fills any blank directives with the value in :default_src Getting a default\-src report is pretty useless. This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true.
|
46
|
+
* It copies the connect\-src value to xhr\-src for AJAX requests.
|
47
|
+
* Mozilla does not support cross\-origin CSP reports. If we are using Mozilla, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`). This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :report_uri without restriction. More information can be found in the "Note on Mozilla handling of CSP" section.
|
48
|
+
|
49
|
+
|
50
|
+
## Configuration
|
51
|
+
|
52
|
+
**Place the following in an initializer (recommended):**
|
53
|
+
|
54
|
+
```ruby
|
55
|
+
::SecureHeaders::Configuration.configure do |config|
|
56
|
+
config.hsts = {:max_age => 99, :include_subdomains => true}
|
57
|
+
config.x_frame_options = 'DENY'
|
58
|
+
config.x_content_type_options = "nosniff"
|
59
|
+
config.x_xss_protection = {:value => '1', :mode => false}
|
60
|
+
config.csp = {
|
61
|
+
:default_src => "https://* inline eval",
|
62
|
+
# ALWAYS supply a full URL for report URIs
|
63
|
+
:report_uri => 'https://example.com/uri-directive',
|
64
|
+
:img_src => "https://* data:",
|
65
|
+
:frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
|
66
|
+
}
|
67
|
+
end
|
68
|
+
|
69
|
+
# and then simply include
|
70
|
+
ensure_security_headers
|
71
|
+
```
|
72
|
+
|
73
|
+
Or simply add it to application controller (not recommended, currently a bug)
|
74
|
+
|
75
|
+
```ruby
|
76
|
+
ensure_security_headers
|
77
|
+
:hsts => {:include_subdomains, :x_frame_options => false},
|
78
|
+
:x_frame_options => 'DENY',
|
79
|
+
:csp => false
|
80
|
+
```
|
81
|
+
|
82
|
+
## Options for ensure\_security\_headers
|
83
|
+
|
84
|
+
**To disable any of these headers, supply a value of false (e.g. :hsts => false), supplying nil will set the default value**
|
85
|
+
|
86
|
+
Each header configuration can take a hash, or a string, or both. If a string
|
87
|
+
is provided, that value is inserted verbatim. If a hash is supplied, a
|
88
|
+
header will be constructed using the supplied options.
|
89
|
+
|
90
|
+
### Widely supported
|
91
|
+
|
92
|
+
```ruby
|
93
|
+
:hsts => {:max_age => 631138519, :include_subdomain => true}
|
94
|
+
:x_frame_options => {:value => 'SAMEORIGIN'}
|
95
|
+
:x_xss_protection => {:value => '1', :mode => false} # set the :mode option to 'block' to enforce the browser's xss filter
|
96
|
+
```
|
97
|
+
|
98
|
+
### Content Security Policy (CSP)
|
99
|
+
|
100
|
+
All browsers will receive the webkit csp header except Mozilla, which gets its own header.
|
101
|
+
See [WebKit specification](http://www.w3.org/TR/CSP/)
|
102
|
+
and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specification)
|
103
|
+
|
104
|
+
```ruby
|
105
|
+
:csp => {
|
106
|
+
:enforce => false, # sets header to report-only, by default
|
107
|
+
# default_src is required!
|
108
|
+
:default_src => nil, # sets the default-src/allow+options directives
|
109
|
+
|
110
|
+
# Where reports are sent. Use full URLs.
|
111
|
+
:report_uri => 'https://mylogaggregator.example.com',
|
112
|
+
|
113
|
+
# Send reports that cannot be sent across host here. These requests are sent
|
114
|
+
# the server, not the browser. If no value is supplied, it will default to
|
115
|
+
# the value in report_uri.
|
116
|
+
:forward_endpoint => 'https://internal.mylogaggregator.example.com'
|
117
|
+
|
118
|
+
# these directives all take 'none', 'self', or a globbed pattern
|
119
|
+
:img_src => nil,
|
120
|
+
:frame_src => nil,
|
121
|
+
:connect_src => nil,
|
122
|
+
:font_src => nil,
|
123
|
+
:media_src => nil,
|
124
|
+
:object_src => nil,
|
125
|
+
:style_src => nil,
|
126
|
+
:script_src => nil,
|
127
|
+
|
128
|
+
# http additions will be appended to the various directives when
|
129
|
+
# over http, relaxing the policy
|
130
|
+
# e.g.
|
131
|
+
# :csp => {
|
132
|
+
# :img_src => 'https://*',
|
133
|
+
# :http_additions => {:img_src => 'http//*'}
|
134
|
+
# }
|
135
|
+
# would produce the directive: "img-src https://* http://*;"
|
136
|
+
# when over http, ignored for https requests
|
137
|
+
:http_additions => {}
|
138
|
+
|
139
|
+
# If you have enforce => true, you can use the `experiments` block to
|
140
|
+
# also produce a report-only header. Values in this block override the
|
141
|
+
# parent config for the report-only, and leave the enforcing header
|
142
|
+
# unaltered. http_additions work the same way described above, but
|
143
|
+
# are added to your report-only header as expected.
|
144
|
+
:experimental => {
|
145
|
+
:script_src => 'self',
|
146
|
+
:img_src => 'https://mycdn.example.com',
|
147
|
+
:http_additions {
|
148
|
+
:img_src => 'http://mycdn.example.com'
|
149
|
+
}
|
150
|
+
}
|
151
|
+
}
|
152
|
+
```
|
153
|
+
|
154
|
+
### Only applied to IE
|
155
|
+
|
156
|
+
```ruby
|
157
|
+
:x_content_type_options => {:value => 'nosniff'}
|
158
|
+
```
|
159
|
+
|
160
|
+
### Example CSP header config
|
161
|
+
|
162
|
+
**Configure the CSP header as if it were the webkit-style header, no need to supply 'options' or 'allow' directives.**
|
163
|
+
|
164
|
+
```ruby
|
165
|
+
# most basic example
|
166
|
+
:csp => {
|
167
|
+
:default_src => "https://* inline eval",
|
168
|
+
:report_uri => '/uri-directive'
|
169
|
+
}
|
170
|
+
# Chrome
|
171
|
+
> "default-src 'unsafe-inline' 'unsafe-eval' https://* chrome-extension:; report-uri /uri-directive;"
|
172
|
+
# Mozilla
|
173
|
+
> "options inline-script eval-script; allow https://*; report-uri /uri-directive;"
|
174
|
+
|
175
|
+
# turn off inline scripting/eval
|
176
|
+
:csp => {
|
177
|
+
:default_src => 'https://*',
|
178
|
+
:report_uri => '/uri-directive'
|
179
|
+
}
|
180
|
+
# Chrome
|
181
|
+
> "default-src https://*; report-uri /uri-directive;"
|
182
|
+
# Mozilla
|
183
|
+
> "allow https://*; report-uri /uri-directive;"
|
184
|
+
|
185
|
+
# Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
|
186
|
+
:csp => {
|
187
|
+
:default_src => 'self',
|
188
|
+
:img_src => '*',
|
189
|
+
:object_src => ['media1.com', 'media2.com', '*.cdn.com'],
|
190
|
+
# alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com'
|
191
|
+
:script_src => 'trustedscripts.example.com'
|
192
|
+
}
|
193
|
+
# Chrome
|
194
|
+
"default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
|
195
|
+
# Mozilla
|
196
|
+
"allow 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
|
197
|
+
```
|
198
|
+
|
199
|
+
## Note on Mozilla handling of CSP
|
200
|
+
|
201
|
+
Currently, Mozilla does not support the w3c draft standard. So there are a few steps taken to make the two interchangeable.
|
202
|
+
|
203
|
+
Mozilla > 18 partially supports the standard via using the default\-src directive over allow/options, but the following inconsistencies remain.
|
204
|
+
|
205
|
+
* inline\-script or eval\-script values in default/style/script\-src directives are moved to the options directive. Note: the style\-src directive is not fully supported in Mozilla \- see https://bugzilla.mozilla.org/show_bug.cgi?id=763879.
|
206
|
+
* CSP reports will not POST cross\-origin. This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint`
|
207
|
+
* Mozilla adds port numbers to each /https?/ value which can make local development tricky with mocked services. Add environment specific code to configure this.
|
208
|
+
|
209
|
+
### Adding the Mozilla report forwarding endpoint
|
210
|
+
|
211
|
+
**You need to add the following line to the TOP of confib/routes.rb**
|
212
|
+
**This is an unauthenticated, unauthorized endpoint. Only do this if your report\-uri is not on the same origin as your application!!!**
|
213
|
+
|
214
|
+
#### Rails 2
|
215
|
+
|
216
|
+
```ruby
|
217
|
+
map.csp_endpoint
|
218
|
+
```
|
219
|
+
|
220
|
+
#### Rails 3
|
221
|
+
|
222
|
+
If the csp reporting endpoint is clobbered by another route, add:
|
223
|
+
|
224
|
+
```ruby
|
225
|
+
post SecureHeaders::ContentSecurityPolicy::FF_CSP_ENDPOINT => "content_security_policy#scribe"
|
226
|
+
```
|
227
|
+
### Using with Sinatra
|
228
|
+
|
229
|
+
Here's an example using SecureHeaders for Sinatra applications:
|
230
|
+
|
231
|
+
```ruby
|
232
|
+
require 'rubygems'
|
233
|
+
require 'sinatra'
|
234
|
+
require 'haml'
|
235
|
+
require 'secure_headers'
|
236
|
+
|
237
|
+
::SecureHeaders::Configuration.configure do |config|
|
238
|
+
config.hsts = {:max_age => 99, :include_subdomains => true}
|
239
|
+
config.x_frame_options = 'DENY'
|
240
|
+
config.x_content_type_options = "nosniff"
|
241
|
+
config.x_xss_protection = {:value => '1', :mode => false}
|
242
|
+
config.csp = {
|
243
|
+
:default_src => "https://* inline eval",
|
244
|
+
# ALWAYS supply a full URL for report URIs
|
245
|
+
:report_uri => 'https://example.com/uri-directive',
|
246
|
+
:img_src => "https://* data:",
|
247
|
+
:frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
|
248
|
+
}
|
249
|
+
end
|
250
|
+
|
251
|
+
class Donkey < Sinatra::Application
|
252
|
+
include SecureHeaders
|
253
|
+
set :root, APP_ROOT
|
254
|
+
|
255
|
+
get '/' do
|
256
|
+
set_csp_header(request, nil)
|
257
|
+
haml :index
|
258
|
+
end
|
259
|
+
end
|
260
|
+
```
|
261
|
+
|
262
|
+
### Using with Padrino
|
263
|
+
|
264
|
+
You can use SecureHeaders for Padrino applications as well:
|
265
|
+
|
266
|
+
In your `Gemfile`:
|
267
|
+
|
268
|
+
```ruby
|
269
|
+
gem "secure_headers", :require => 'secure_headers'
|
270
|
+
```
|
271
|
+
|
272
|
+
then in your `app.rb` file you can:
|
273
|
+
|
274
|
+
```ruby
|
275
|
+
module Web
|
276
|
+
class App < Padrino::Application
|
277
|
+
include SecureHeaders
|
278
|
+
|
279
|
+
::SecureHeaders::Configuration.configure do |config|
|
280
|
+
config.hsts = {:max_age => 99, :include_subdomains => true}
|
281
|
+
config.x_frame_options = 'DENY'
|
282
|
+
config.x_content_type_options = "nosniff"
|
283
|
+
config.x_xss_protection = {:value => '1', :mode => false}
|
284
|
+
config.csp = {
|
285
|
+
:default_src => "https://* inline eval",
|
286
|
+
# ALWAYS supply a full URL for report URIs
|
287
|
+
:report_uri => 'https://example.com/uri-directive',
|
288
|
+
:img_src => "https://* data:",
|
289
|
+
:frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
|
290
|
+
}
|
291
|
+
end
|
292
|
+
|
293
|
+
get '/' do
|
294
|
+
set_csp_header(request, nil)
|
295
|
+
render 'index'
|
296
|
+
end
|
297
|
+
end
|
298
|
+
end
|
299
|
+
```
|
300
|
+
|
301
|
+
|
302
|
+
## Authors
|
303
|
+
|
304
|
+
* Neil Matatall [@ndm](https://twitter.com/ndm) - primary author.
|
305
|
+
* Nicholas Green [@nickgreen](https://twitter.com/nickgreen) - code contributions, main reviewer.
|
306
|
+
|
307
|
+
## Acknowledgements
|
308
|
+
|
309
|
+
* Justin Collins [@presidentbeef](https://twitter.com/presidentbeef) & Jim O'Leary [@jimio](https://twitter.com/jimio) for reviews.
|
310
|
+
* Ian Melven [@imelven](https://twitter.com/imelven) - Discussions/info about CSP in general, made us aware of the [userCSP](https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/) Mozilla extension.
|
311
|
+
* Sumit Shah [@omnidactyl](https://twitter.com/omnidactyl) - For being an eager guinea pig.
|
312
|
+
* Chris Aniszczyk [@cra](https://twitter.com/cra) - For running an awesome open source program at Twitter.
|
313
|
+
|
314
|
+
## License
|
315
|
+
|
316
|
+
Copyright 2013 Twitter, Inc.
|
317
|
+
|
318
|
+
Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
|