secure_headers 1.3.2 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- data/HISTORY.md +7 -0
- data/README.md +2 -2
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/version.rb +1 -1
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +1 -0
- data/spec/lib/secure_headers_spec.rb +5 -0
- metadata +9 -5
- checksums.yaml +0 -15
data/HISTORY.md
CHANGED
@@ -1,3 +1,10 @@
|
|
1
|
+
1.3.3
|
2
|
+
======
|
3
|
+
|
4
|
+
@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
|
5
|
+
|
6
|
+
This just adds a new 'preload' option to the HSTS settings to specify that option.
|
7
|
+
|
1
8
|
1.3.2
|
2
9
|
======
|
3
10
|
|
data/README.md
CHANGED
@@ -197,7 +197,7 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
197
197
|
"default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
|
198
198
|
```
|
199
199
|
|
200
|
-
### Tagging
|
200
|
+
### Tagging Requests
|
201
201
|
|
202
202
|
It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
|
203
203
|
|
@@ -368,6 +368,6 @@ end
|
|
368
368
|
|
369
369
|
## License
|
370
370
|
|
371
|
-
Copyright 2013 Twitter, Inc.
|
371
|
+
Copyright 2013-2014 Twitter, Inc and other contributors.
|
372
372
|
|
373
373
|
Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
|
@@ -6,7 +6,7 @@ module SecureHeaders
|
|
6
6
|
HSTS_HEADER_NAME = 'Strict-Transport-Security'
|
7
7
|
HSTS_MAX_AGE = "631138519"
|
8
8
|
DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
|
9
|
-
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?\z/i
|
9
|
+
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
|
10
10
|
MESSAGE = "The config value supplied for the HSTS header was invalid."
|
11
11
|
end
|
12
12
|
include Constants
|
@@ -31,6 +31,7 @@ module SecureHeaders
|
|
31
31
|
max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
|
32
32
|
value = "max-age=" + max_age.to_s
|
33
33
|
value += "; includeSubdomains" if @config[:include_subdomains]
|
34
|
+
value += "; preload" if @config[:preload]
|
34
35
|
|
35
36
|
value
|
36
37
|
end
|
@@ -10,6 +10,7 @@ module SecureHeaders
|
|
10
10
|
specify { expect(StrictTransportSecurity.new(:max_age => '1234').value).to eq("max-age=1234")}
|
11
11
|
specify { expect(StrictTransportSecurity.new(:max_age => 1234).value).to eq("max-age=1234")}
|
12
12
|
specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains")}
|
13
|
+
specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")}
|
13
14
|
|
14
15
|
context "with an invalid configuration" do
|
15
16
|
context "with a hash argument" do
|
@@ -178,6 +178,11 @@ describe SecureHeaders do
|
|
178
178
|
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
|
179
179
|
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
|
180
180
|
end
|
181
|
+
|
182
|
+
it "allows you to specify preload" do
|
183
|
+
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")
|
184
|
+
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true)
|
185
|
+
end
|
181
186
|
end
|
182
187
|
|
183
188
|
describe "#set_x_xss_protection" do
|
metadata
CHANGED
@@ -1,18 +1,20 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.3.
|
4
|
+
version: 1.3.3
|
5
|
+
prerelease:
|
5
6
|
platform: ruby
|
6
7
|
authors:
|
7
8
|
- Neil Matatall
|
8
9
|
autorequire:
|
9
10
|
bindir: bin
|
10
11
|
cert_chain: []
|
11
|
-
date: 2014-08-
|
12
|
+
date: 2014-08-15 00:00:00.000000000 Z
|
12
13
|
dependencies:
|
13
14
|
- !ruby/object:Gem::Dependency
|
14
15
|
name: rake
|
15
16
|
requirement: !ruby/object:Gem::Requirement
|
17
|
+
none: false
|
16
18
|
requirements:
|
17
19
|
- - ! '>='
|
18
20
|
- !ruby/object:Gem::Version
|
@@ -20,6 +22,7 @@ dependencies:
|
|
20
22
|
type: :development
|
21
23
|
prerelease: false
|
22
24
|
version_requirements: !ruby/object:Gem::Requirement
|
25
|
+
none: false
|
23
26
|
requirements:
|
24
27
|
- - ! '>='
|
25
28
|
- !ruby/object:Gem::Version
|
@@ -150,26 +153,27 @@ files:
|
|
150
153
|
homepage: https://github.com/twitter/secureheaders
|
151
154
|
licenses:
|
152
155
|
- Apache Public License 2.0
|
153
|
-
metadata: {}
|
154
156
|
post_install_message:
|
155
157
|
rdoc_options: []
|
156
158
|
require_paths:
|
157
159
|
- lib
|
158
160
|
required_ruby_version: !ruby/object:Gem::Requirement
|
161
|
+
none: false
|
159
162
|
requirements:
|
160
163
|
- - ! '>='
|
161
164
|
- !ruby/object:Gem::Version
|
162
165
|
version: '0'
|
163
166
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
167
|
+
none: false
|
164
168
|
requirements:
|
165
169
|
- - ! '>='
|
166
170
|
- !ruby/object:Gem::Version
|
167
171
|
version: '0'
|
168
172
|
requirements: []
|
169
173
|
rubyforge_project:
|
170
|
-
rubygems_version:
|
174
|
+
rubygems_version: 1.8.23
|
171
175
|
signing_key:
|
172
|
-
specification_version:
|
176
|
+
specification_version: 3
|
173
177
|
summary: Add easily configured browser headers to responses including content security
|
174
178
|
policy, x-frame-options, strict-transport-security and more.
|
175
179
|
test_files:
|
checksums.yaml
DELETED
@@ -1,15 +0,0 @@
|
|
1
|
-
---
|
2
|
-
!binary "U0hBMQ==":
|
3
|
-
metadata.gz: !binary |-
|
4
|
-
OGRkYjRlNDU4ZTZjMWViMTM0NTlkZDc1ZDNmNjJkMjNlMGIzMDY5OA==
|
5
|
-
data.tar.gz: !binary |-
|
6
|
-
Y2Y0OGEwODAwNDZmMzNkNWYzYzJiNDAzZTdlZDE2YmYzNzQ5MDNhMA==
|
7
|
-
SHA512:
|
8
|
-
metadata.gz: !binary |-
|
9
|
-
NGZmODE5M2ViNWJkZTRhMjRjYzEwNTRkZDkzMzdmOWQzMzdiYWU0OGM3ZGZl
|
10
|
-
Yjc0YjJmOTI4MWFiMTE2NGJlMDA4ZjA2YjY3YzAyMWU5ZDExMmEwZWM1ODVl
|
11
|
-
ZDllOGFlYTdhNjU1YjRlZjc1MjM4MjM5MDlmY2EwNzljNjU4OTA=
|
12
|
-
data.tar.gz: !binary |-
|
13
|
-
Y2UzZDgxNWFlMGQ3YmMwODY2OTQyNmVhZDU3YWQ5ODk3MDRjNWQwZTJhODMy
|
14
|
-
Njk2ODQyZjQ1MTA1YjZjMmMxZDM2YTcyOWE3ODIxN2Q1ZjQzNDQ3MmM3NGI2
|
15
|
-
YWU4NzZkZmQ3NWM1ZTNlZWI4NzIzMDFhZDZjODQ1MzhkMjlkMDk=
|