secure_headers 1.3.2 → 1.3.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- data/HISTORY.md +7 -0
- data/README.md +2 -2
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/version.rb +1 -1
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +1 -0
- data/spec/lib/secure_headers_spec.rb +5 -0
- metadata +9 -5
- checksums.yaml +0 -15
data/HISTORY.md
CHANGED
@@ -1,3 +1,10 @@
|
|
1
|
+
1.3.3
|
2
|
+
======
|
3
|
+
|
4
|
+
@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
|
5
|
+
|
6
|
+
This just adds a new 'preload' option to the HSTS settings to specify that option.
|
7
|
+
|
1
8
|
1.3.2
|
2
9
|
======
|
3
10
|
|
data/README.md
CHANGED
@@ -197,7 +197,7 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
197
197
|
"default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
|
198
198
|
```
|
199
199
|
|
200
|
-
### Tagging
|
200
|
+
### Tagging Requests
|
201
201
|
|
202
202
|
It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
|
203
203
|
|
@@ -368,6 +368,6 @@ end
|
|
368
368
|
|
369
369
|
## License
|
370
370
|
|
371
|
-
Copyright 2013 Twitter, Inc.
|
371
|
+
Copyright 2013-2014 Twitter, Inc and other contributors.
|
372
372
|
|
373
373
|
Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
|
@@ -6,7 +6,7 @@ module SecureHeaders
|
|
6
6
|
HSTS_HEADER_NAME = 'Strict-Transport-Security'
|
7
7
|
HSTS_MAX_AGE = "631138519"
|
8
8
|
DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
|
9
|
-
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?\z/i
|
9
|
+
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
|
10
10
|
MESSAGE = "The config value supplied for the HSTS header was invalid."
|
11
11
|
end
|
12
12
|
include Constants
|
@@ -31,6 +31,7 @@ module SecureHeaders
|
|
31
31
|
max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
|
32
32
|
value = "max-age=" + max_age.to_s
|
33
33
|
value += "; includeSubdomains" if @config[:include_subdomains]
|
34
|
+
value += "; preload" if @config[:preload]
|
34
35
|
|
35
36
|
value
|
36
37
|
end
|
@@ -10,6 +10,7 @@ module SecureHeaders
|
|
10
10
|
specify { expect(StrictTransportSecurity.new(:max_age => '1234').value).to eq("max-age=1234")}
|
11
11
|
specify { expect(StrictTransportSecurity.new(:max_age => 1234).value).to eq("max-age=1234")}
|
12
12
|
specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains")}
|
13
|
+
specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")}
|
13
14
|
|
14
15
|
context "with an invalid configuration" do
|
15
16
|
context "with a hash argument" do
|
@@ -178,6 +178,11 @@ describe SecureHeaders do
|
|
178
178
|
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
|
179
179
|
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
|
180
180
|
end
|
181
|
+
|
182
|
+
it "allows you to specify preload" do
|
183
|
+
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")
|
184
|
+
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true)
|
185
|
+
end
|
181
186
|
end
|
182
187
|
|
183
188
|
describe "#set_x_xss_protection" do
|
metadata
CHANGED
@@ -1,18 +1,20 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.3.
|
4
|
+
version: 1.3.3
|
5
|
+
prerelease:
|
5
6
|
platform: ruby
|
6
7
|
authors:
|
7
8
|
- Neil Matatall
|
8
9
|
autorequire:
|
9
10
|
bindir: bin
|
10
11
|
cert_chain: []
|
11
|
-
date: 2014-08-
|
12
|
+
date: 2014-08-15 00:00:00.000000000 Z
|
12
13
|
dependencies:
|
13
14
|
- !ruby/object:Gem::Dependency
|
14
15
|
name: rake
|
15
16
|
requirement: !ruby/object:Gem::Requirement
|
17
|
+
none: false
|
16
18
|
requirements:
|
17
19
|
- - ! '>='
|
18
20
|
- !ruby/object:Gem::Version
|
@@ -20,6 +22,7 @@ dependencies:
|
|
20
22
|
type: :development
|
21
23
|
prerelease: false
|
22
24
|
version_requirements: !ruby/object:Gem::Requirement
|
25
|
+
none: false
|
23
26
|
requirements:
|
24
27
|
- - ! '>='
|
25
28
|
- !ruby/object:Gem::Version
|
@@ -150,26 +153,27 @@ files:
|
|
150
153
|
homepage: https://github.com/twitter/secureheaders
|
151
154
|
licenses:
|
152
155
|
- Apache Public License 2.0
|
153
|
-
metadata: {}
|
154
156
|
post_install_message:
|
155
157
|
rdoc_options: []
|
156
158
|
require_paths:
|
157
159
|
- lib
|
158
160
|
required_ruby_version: !ruby/object:Gem::Requirement
|
161
|
+
none: false
|
159
162
|
requirements:
|
160
163
|
- - ! '>='
|
161
164
|
- !ruby/object:Gem::Version
|
162
165
|
version: '0'
|
163
166
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
167
|
+
none: false
|
164
168
|
requirements:
|
165
169
|
- - ! '>='
|
166
170
|
- !ruby/object:Gem::Version
|
167
171
|
version: '0'
|
168
172
|
requirements: []
|
169
173
|
rubyforge_project:
|
170
|
-
rubygems_version:
|
174
|
+
rubygems_version: 1.8.23
|
171
175
|
signing_key:
|
172
|
-
specification_version:
|
176
|
+
specification_version: 3
|
173
177
|
summary: Add easily configured browser headers to responses including content security
|
174
178
|
policy, x-frame-options, strict-transport-security and more.
|
175
179
|
test_files:
|
checksums.yaml
DELETED
@@ -1,15 +0,0 @@
|
|
1
|
-
---
|
2
|
-
!binary "U0hBMQ==":
|
3
|
-
metadata.gz: !binary |-
|
4
|
-
OGRkYjRlNDU4ZTZjMWViMTM0NTlkZDc1ZDNmNjJkMjNlMGIzMDY5OA==
|
5
|
-
data.tar.gz: !binary |-
|
6
|
-
Y2Y0OGEwODAwNDZmMzNkNWYzYzJiNDAzZTdlZDE2YmYzNzQ5MDNhMA==
|
7
|
-
SHA512:
|
8
|
-
metadata.gz: !binary |-
|
9
|
-
NGZmODE5M2ViNWJkZTRhMjRjYzEwNTRkZDkzMzdmOWQzMzdiYWU0OGM3ZGZl
|
10
|
-
Yjc0YjJmOTI4MWFiMTE2NGJlMDA4ZjA2YjY3YzAyMWU5ZDExMmEwZWM1ODVl
|
11
|
-
ZDllOGFlYTdhNjU1YjRlZjc1MjM4MjM5MDlmY2EwNzljNjU4OTA=
|
12
|
-
data.tar.gz: !binary |-
|
13
|
-
Y2UzZDgxNWFlMGQ3YmMwODY2OTQyNmVhZDU3YWQ5ODk3MDRjNWQwZTJhODMy
|
14
|
-
Njk2ODQyZjQ1MTA1YjZjMmMxZDM2YTcyOWE3ODIxN2Q1ZjQzNDQ3MmM3NGI2
|
15
|
-
YWU4NzZkZmQ3NWM1ZTNlZWI4NzIzMDFhZDZjODQ1MzhkMjlkMDk=
|