secure_headers 0.4.3 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- data/HISTORY.md +5 -0
- data/README.md +2 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +2 -2
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +11 -6
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +12 -7
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +11 -6
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +11 -6
- data/lib/secure_headers.rb +1 -2
- data/lib/secure_headers/headers/x_frame_options.rb +3 -3
- data/lib/secure_headers/headers/x_xss_protection.rb +1 -2
- data/lib/secure_headers/version.rb +1 -1
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +5 -26
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +1 -1
- data/spec/lib/secure_headers_spec.rb +52 -36
- metadata +3 -3
data/HISTORY.md
CHANGED
data/README.md
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
The gem will automatically apply several headers that are related to security. This includes:
|
4
4
|
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 1.1 Specification](https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
|
5
5
|
- HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. [HSTS Specification](https://tools.ietf.org/html/rfc6797)
|
6
|
-
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-
|
6
|
+
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
|
7
7
|
- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
|
8
8
|
- X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
|
9
9
|
|
@@ -101,7 +101,7 @@ header will be constructed using the supplied options.
|
|
101
101
|
### Widely supported
|
102
102
|
|
103
103
|
```ruby
|
104
|
-
:hsts => {:max_age => 631138519, :
|
104
|
+
:hsts => {:max_age => 631138519, :include_subdomains => true}
|
105
105
|
:x_frame_options => {:value => 'SAMEORIGIN'}
|
106
106
|
:x_xss_protection => {:value => 1, :mode => false} # set the :mode option to 'block' to enforce the browser's xss filter
|
107
107
|
```
|
@@ -2,7 +2,7 @@
|
|
2
2
|
config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
|
3
3
|
config.x_frame_options = 'SAMEORIGIN'
|
4
4
|
config.x_content_type_options = "nosniff"
|
5
|
-
config.x_xss_protection = {:value => 1, :mode => '
|
5
|
+
config.x_xss_protection = {:value => 1, :mode => 'block'}
|
6
6
|
csp = {
|
7
7
|
:default_src => "self",
|
8
8
|
:disable_chrome_extension => true,
|
@@ -12,4 +12,4 @@
|
|
12
12
|
}
|
13
13
|
|
14
14
|
config.csp = csp
|
15
|
-
end
|
15
|
+
end
|
@@ -7,14 +7,14 @@ describe OtherThingsController do
|
|
7
7
|
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
8
8
|
end
|
9
9
|
|
10
|
-
it "sets the X-XSS-
|
10
|
+
it "sets the X-XSS-Protection header" do
|
11
11
|
get :index
|
12
|
-
response.headers['X-XSS-Protection'].should == '1; mode=
|
12
|
+
response.headers['X-XSS-Protection'].should == '1; mode=block'
|
13
13
|
end
|
14
14
|
|
15
|
-
it "sets the X-
|
15
|
+
it "sets the X-Frame-Options header" do
|
16
16
|
get :index
|
17
|
-
response.headers['X-
|
17
|
+
response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
|
18
18
|
end
|
19
19
|
|
20
20
|
it "sets the X-WebKit-CSP header" do
|
@@ -23,14 +23,19 @@ describe OtherThingsController do
|
|
23
23
|
end
|
24
24
|
|
25
25
|
#mock ssl
|
26
|
-
it "sets the
|
26
|
+
it "sets the Strict-Transport-Security header" do
|
27
27
|
request.env['HTTPS'] = 'on'
|
28
28
|
get :index
|
29
29
|
response.headers['Strict-Transport-Security'].should == "max-age=315576000"
|
30
30
|
end
|
31
31
|
|
32
|
+
it "sets the X-Content-Type-Options header" do
|
33
|
+
get :index
|
34
|
+
response.headers['X-Content-Type-Options'].should == "nosniff"
|
35
|
+
end
|
36
|
+
|
32
37
|
context "using IE" do
|
33
|
-
it "sets the X-
|
38
|
+
it "sets the X-Content-Type-Options header" do
|
34
39
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
35
40
|
get :index
|
36
41
|
response.headers['X-Content-Type-Options'].should == "nosniff"
|
@@ -11,14 +11,14 @@ describe ThingsController do
|
|
11
11
|
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
12
12
|
end
|
13
13
|
|
14
|
-
it "sets the X-XSS-
|
14
|
+
it "sets the X-XSS-Protection header" do
|
15
15
|
get :index
|
16
|
-
response.headers['X-XSS-Protection'].should == '1; mode=
|
16
|
+
response.headers['X-XSS-Protection'].should == '1; mode=block'
|
17
17
|
end
|
18
18
|
|
19
|
-
it "sets the X-
|
19
|
+
it "sets the X-Frame-Options header" do
|
20
20
|
get :index
|
21
|
-
response.headers['X-
|
21
|
+
response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
|
22
22
|
end
|
23
23
|
|
24
24
|
it "sets the X-WebKit-CSP header" do
|
@@ -27,14 +27,19 @@ describe ThingsController do
|
|
27
27
|
end
|
28
28
|
|
29
29
|
#mock ssl
|
30
|
-
it "sets the
|
30
|
+
it "sets the Strict-Transport-Security header" do
|
31
31
|
request.env['HTTPS'] = 'on'
|
32
32
|
get :index
|
33
33
|
response.headers['Strict-Transport-Security'].should == "max-age=315576000"
|
34
34
|
end
|
35
35
|
|
36
|
+
it "sets the X-Content-Type-Options header" do
|
37
|
+
get :index
|
38
|
+
response.headers['X-Content-Type-Options'].should == "nosniff"
|
39
|
+
end
|
40
|
+
|
36
41
|
context "using IE" do
|
37
|
-
it "sets the X-
|
42
|
+
it "sets the X-Content-Type-Options header" do
|
38
43
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
39
44
|
get :index
|
40
45
|
response.headers['X-Content-Type-Options'].should == "nosniff"
|
@@ -44,4 +49,4 @@ describe ThingsController do
|
|
44
49
|
end
|
45
50
|
|
46
51
|
|
47
|
-
# response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; report-uri somewhere"
|
52
|
+
# response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; report-uri somewhere"
|
@@ -7,14 +7,14 @@ describe OtherThingsController do
|
|
7
7
|
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
8
8
|
end
|
9
9
|
|
10
|
-
it "sets the X-XSS-
|
10
|
+
it "sets the X-XSS-Protection header" do
|
11
11
|
get :index
|
12
12
|
response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
|
13
13
|
end
|
14
14
|
|
15
|
-
it "sets the X-
|
15
|
+
it "sets the X-Frame-Options header" do
|
16
16
|
get :index
|
17
|
-
response.headers['X-
|
17
|
+
response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
|
18
18
|
end
|
19
19
|
|
20
20
|
it "sets the X-WebKit-CSP header" do
|
@@ -23,17 +23,22 @@ describe OtherThingsController do
|
|
23
23
|
end
|
24
24
|
|
25
25
|
#mock ssl
|
26
|
-
it "sets the
|
26
|
+
it "sets the Strict-Transport-Security header" do
|
27
27
|
request.env['HTTPS'] = 'on'
|
28
28
|
get :index
|
29
29
|
response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
|
30
30
|
end
|
31
31
|
|
32
|
+
it "sets the X-Content-Type-Options header" do
|
33
|
+
get :index
|
34
|
+
response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
|
35
|
+
end
|
36
|
+
|
32
37
|
context "using IE" do
|
33
|
-
it "sets the X-
|
38
|
+
it "sets the X-Content-Type-Options header" do
|
34
39
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
35
40
|
get :index
|
36
|
-
response.headers['X-Content-Type-Options'].should ==
|
41
|
+
response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
|
37
42
|
end
|
38
43
|
end
|
39
44
|
end
|
@@ -11,14 +11,14 @@ describe ThingsController do
|
|
11
11
|
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
12
12
|
end
|
13
13
|
|
14
|
-
it "sets the X-XSS-
|
14
|
+
it "sets the X-XSS-Protection header" do
|
15
15
|
get :index
|
16
16
|
response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
|
17
17
|
end
|
18
18
|
|
19
|
-
it "sets the X-
|
19
|
+
it "sets the X-Frame-Options header" do
|
20
20
|
get :index
|
21
|
-
response.headers['X-
|
21
|
+
response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
|
22
22
|
end
|
23
23
|
|
24
24
|
it "sets the X-WebKit-CSP header" do
|
@@ -27,17 +27,22 @@ describe ThingsController do
|
|
27
27
|
end
|
28
28
|
|
29
29
|
#mock ssl
|
30
|
-
it "sets the
|
30
|
+
it "sets the Strict-Transport-Security header" do
|
31
31
|
request.env['HTTPS'] = 'on'
|
32
32
|
get :index
|
33
33
|
response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
|
34
34
|
end
|
35
35
|
|
36
|
+
it "sets the X-Content-Type-Options header" do
|
37
|
+
get :index
|
38
|
+
response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
|
39
|
+
end
|
40
|
+
|
36
41
|
context "using IE" do
|
37
|
-
it "sets the X-
|
42
|
+
it "sets the X-Content-Type-Options header" do
|
38
43
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
39
44
|
get :index
|
40
|
-
response.headers['X-Content-Type-Options'].should ==
|
45
|
+
response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
|
41
46
|
end
|
42
47
|
end
|
43
48
|
end
|
data/lib/secure_headers.rb
CHANGED
@@ -85,7 +85,7 @@ module SecureHeaders
|
|
85
85
|
end
|
86
86
|
|
87
87
|
def set_x_content_type_options_header(options=self.class.secure_headers_options[:x_content_type_options])
|
88
|
-
return unless brwsr.ie?
|
88
|
+
return unless brwsr.ie? || brwsr.chrome?
|
89
89
|
set_a_header(:x_content_type_options, XContentTypeOptions, options)
|
90
90
|
end
|
91
91
|
|
@@ -113,7 +113,6 @@ module SecureHeaders
|
|
113
113
|
end
|
114
114
|
|
115
115
|
def broken_implementation?(browser)
|
116
|
-
#IOS 5 sometimes refuses to load external resources even when whitelisted with CSP
|
117
116
|
return browser.ios5? || (browser.safari? && browser.version == 5)
|
118
117
|
end
|
119
118
|
end
|
@@ -2,9 +2,9 @@ module SecureHeaders
|
|
2
2
|
class XFOBuildError < StandardError; end
|
3
3
|
class XFrameOptions
|
4
4
|
module Constants
|
5
|
-
XFO_HEADER_NAME = "X-
|
5
|
+
XFO_HEADER_NAME = "X-Frame-Options"
|
6
6
|
DEFAULT_VALUE = 'SAMEORIGIN'
|
7
|
-
VALID_XFO_HEADER = /\A(SAMEORIGIN\z|DENY\z|ALLOW-FROM
|
7
|
+
VALID_XFO_HEADER = /\A(SAMEORIGIN\z|DENY\z|ALLOW-FROM[:\s])/i
|
8
8
|
end
|
9
9
|
include Constants
|
10
10
|
|
@@ -37,4 +37,4 @@ module SecureHeaders
|
|
37
37
|
end
|
38
38
|
end
|
39
39
|
end
|
40
|
-
end
|
40
|
+
end
|
@@ -5,32 +5,11 @@ module SecureHeaders
|
|
5
5
|
specify{ StrictTransportSecurity.new.name.should == "Strict-Transport-Security" }
|
6
6
|
|
7
7
|
describe "#value" do
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
it "allows you to specify includeSubdomains" do
|
14
|
-
s = StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
|
15
|
-
s.value.should == "max-age=#{HSTS_MAX_AGE}; includeSubdomains"
|
16
|
-
end
|
17
|
-
|
18
|
-
it "accepts a string value and returns verbatim" do
|
19
|
-
s = StrictTransportSecurity.new('max-age=1234')
|
20
|
-
s.value.should == "max-age=1234"
|
21
|
-
end
|
22
|
-
|
23
|
-
it "allows you to specify max-age" do
|
24
|
-
age = '8675309'
|
25
|
-
s = StrictTransportSecurity.new(:max_age => age)
|
26
|
-
s.value.should == "max-age=#{age}"
|
27
|
-
end
|
28
|
-
|
29
|
-
it "allows you to specify max-age as a Fixnum" do
|
30
|
-
age = 8675309
|
31
|
-
s = StrictTransportSecurity.new(:max_age => age)
|
32
|
-
s.value.should == "max-age=#{age}"
|
33
|
-
end
|
8
|
+
specify { StrictTransportSecurity.new.value.should == StrictTransportSecurity::Constants::DEFAULT_VALUE}
|
9
|
+
specify { StrictTransportSecurity.new("max-age=1234").value.should == "max-age=1234"}
|
10
|
+
specify { StrictTransportSecurity.new(:max_age => '1234').value.should == "max-age=1234"}
|
11
|
+
specify { StrictTransportSecurity.new(:max_age => 1234).value.should == "max-age=1234"}
|
12
|
+
specify { StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value.should == "max-age=#{HSTS_MAX_AGE}; includeSubdomains"}
|
34
13
|
|
35
14
|
context "with an invalid configuration" do
|
36
15
|
context "with a hash argument" do
|
@@ -2,7 +2,7 @@ require 'spec_helper'
|
|
2
2
|
|
3
3
|
module SecureHeaders
|
4
4
|
describe XFrameOptions do
|
5
|
-
specify{ XFrameOptions.new.name.should == "X-
|
5
|
+
specify{ XFrameOptions.new.name.should == "X-Frame-Options" }
|
6
6
|
|
7
7
|
describe "#value" do
|
8
8
|
specify { XFrameOptions.new.value.should == XFrameOptions::Constants::DEFAULT_VALUE}
|
@@ -80,10 +80,8 @@ describe SecureHeaders do
|
|
80
80
|
it "sets all default headers for #{name} (smoke test)" do
|
81
81
|
stub_user_agent(useragent)
|
82
82
|
number_of_headers = case name
|
83
|
-
when :ie
|
83
|
+
when :ie, :chrome
|
84
84
|
5
|
85
|
-
when :opera
|
86
|
-
4
|
87
85
|
when :ios5, :safari5
|
88
86
|
3 # csp breaks these browsers
|
89
87
|
else
|
@@ -99,29 +97,28 @@ describe SecureHeaders do
|
|
99
97
|
end
|
100
98
|
end
|
101
99
|
|
102
|
-
it "does not set the X-Content-Type-Options
|
100
|
+
it "does not set the X-Content-Type-Options header if disabled" do
|
103
101
|
stub_user_agent(USER_AGENTS[:ie])
|
104
102
|
should_not_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME)
|
105
103
|
subject.set_x_content_type_options_header(false)
|
106
104
|
end
|
107
105
|
|
108
|
-
it "does not set the X-XSS-
|
109
|
-
stub_user_agent(USER_AGENTS[:ie])
|
106
|
+
it "does not set the X-XSS-Protection header if disabled" do
|
110
107
|
should_not_assign_header(X_XSS_PROTECTION_HEADER_NAME)
|
111
108
|
subject.set_x_xss_protection_header(false)
|
112
109
|
end
|
113
110
|
|
114
|
-
it "does not set the X-
|
111
|
+
it "does not set the X-Frame-Options header if disabled" do
|
115
112
|
should_not_assign_header(XFO_HEADER_NAME)
|
116
113
|
subject.set_x_frame_options_header(false)
|
117
114
|
end
|
118
115
|
|
119
|
-
it "does not set the
|
116
|
+
it "does not set the HSTS header if disabled" do
|
120
117
|
should_not_assign_header(HSTS_HEADER_NAME)
|
121
118
|
subject.set_hsts_header(false)
|
122
119
|
end
|
123
120
|
|
124
|
-
it "does not set the
|
121
|
+
it "does not set the HSTS header if request is over HTTP" do
|
125
122
|
subject.stub_chain(:request, :ssl?).and_return(false)
|
126
123
|
should_not_assign_header(HSTS_HEADER_NAME)
|
127
124
|
subject.set_hsts_header({:include_subdomains => true})
|
@@ -142,7 +139,7 @@ describe SecureHeaders do
|
|
142
139
|
end
|
143
140
|
|
144
141
|
context "when disabled by configuration settings" do
|
145
|
-
it "does not set
|
142
|
+
it "does not set any headers when disabled" do
|
146
143
|
::SecureHeaders::Configuration.configure do |config|
|
147
144
|
config.hsts = false
|
148
145
|
config.x_frame_options = false
|
@@ -158,48 +155,67 @@ describe SecureHeaders do
|
|
158
155
|
end
|
159
156
|
|
160
157
|
describe "#set_x_frame_options_header" do
|
161
|
-
it "sets the X-
|
158
|
+
it "sets the X-Frame-Options header" do
|
162
159
|
should_assign_header(XFO_HEADER_NAME, SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
|
163
160
|
subject.set_x_frame_options_header
|
164
161
|
end
|
165
162
|
|
166
|
-
it "allows a custom X-
|
163
|
+
it "allows a custom X-Frame-Options header" do
|
167
164
|
should_assign_header(XFO_HEADER_NAME, "DENY")
|
168
165
|
subject.set_x_frame_options_header(:value => 'DENY')
|
169
166
|
end
|
170
167
|
end
|
171
168
|
|
172
|
-
|
173
|
-
|
174
|
-
|
169
|
+
describe "#set_strict_transport_security" do
|
170
|
+
it "sets the Strict-Transport-Security header" do
|
171
|
+
should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
172
|
+
subject.set_hsts_header
|
175
173
|
end
|
176
174
|
|
177
|
-
|
178
|
-
|
179
|
-
|
180
|
-
|
181
|
-
end
|
175
|
+
it "allows you to specific a custom max-age value" do
|
176
|
+
should_assign_header(HSTS_HEADER_NAME, 'max-age=1234')
|
177
|
+
subject.set_hsts_header(:max_age => 1234)
|
178
|
+
end
|
182
179
|
|
183
|
-
|
184
|
-
|
185
|
-
|
186
|
-
|
180
|
+
it "allows you to specify includeSubdomains" do
|
181
|
+
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
|
182
|
+
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
|
183
|
+
end
|
184
|
+
end
|
187
185
|
|
188
|
-
|
189
|
-
|
190
|
-
|
191
|
-
|
186
|
+
describe "#set_x_xss_protection" do
|
187
|
+
it "sets the X-XSS-Protection header" do
|
188
|
+
should_assign_header(X_XSS_PROTECTION_HEADER_NAME, SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
|
189
|
+
subject.set_x_xss_protection_header
|
192
190
|
end
|
193
191
|
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
|
192
|
+
it "sets a custom X-XSS-Protection header" do
|
193
|
+
should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '0')
|
194
|
+
subject.set_x_xss_protection_header("0")
|
195
|
+
end
|
196
|
+
|
197
|
+
it "sets the block flag" do
|
198
|
+
should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1; mode=block')
|
199
|
+
subject.set_x_xss_protection_header(:mode => 'block', :value => 1)
|
200
|
+
end
|
201
|
+
end
|
199
202
|
|
200
|
-
|
201
|
-
|
202
|
-
|
203
|
+
describe "#set_x_content_type_options" do
|
204
|
+
[:ie, :chrome].each do |useragent|
|
205
|
+
context "when using #{useragent}" do
|
206
|
+
before(:each) do
|
207
|
+
stub_user_agent(USER_AGENTS[useragent])
|
208
|
+
end
|
209
|
+
|
210
|
+
it "sets the X-Content-Type-Options header" do
|
211
|
+
should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
212
|
+
subject.set_x_content_type_options_header
|
213
|
+
end
|
214
|
+
|
215
|
+
it "lets you override X-Content-Type-Options" do
|
216
|
+
should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
|
217
|
+
subject.set_x_content_type_options_header(:value => 'nosniff')
|
218
|
+
end
|
203
219
|
end
|
204
220
|
end
|
205
221
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.5.0
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-05-
|
12
|
+
date: 2013-05-21 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: brwsr
|
@@ -190,7 +190,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
190
190
|
version: '0'
|
191
191
|
requirements: []
|
192
192
|
rubyforge_project:
|
193
|
-
rubygems_version: 1.8.
|
193
|
+
rubygems_version: 1.8.25
|
194
194
|
signing_key:
|
195
195
|
specification_version: 3
|
196
196
|
summary: Add easily configured browser headers to responses including content security
|