secure_headers 1.3.2 → 1.3.3

data/HISTORY.md

@@ -1,3 +1,10 @@
+1.3.3
+======
+
+@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
+
+This just adds a new 'preload' option to the HSTS settings to specify that option.
+
 1.3.2
 ======
 

data/README.md

@@ -197,7 +197,7 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
 "default-src  'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
 ```
 
-### Tagging Reuqests
+### Tagging Requests
 
 It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
 
@@ -368,6 +368,6 @@ end
 
 ## License
 
-Copyright 2013 Twitter, Inc.
+Copyright 2013-2014 Twitter, Inc and other contributors.
 
 Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0

data/lib/secure_headers/headers/strict_transport_security.rb

@@ -6,7 +6,7 @@ module SecureHeaders
       HSTS_HEADER_NAME = 'Strict-Transport-Security'
       HSTS_MAX_AGE = "631138519"
       DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
-      VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?\z/i
+      VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
       MESSAGE = "The config value supplied for the HSTS header was invalid."
     end
     include Constants
@@ -31,6 +31,7 @@ module SecureHeaders
       max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
       value = "max-age=" + max_age.to_s
       value += "; includeSubdomains" if @config[:include_subdomains]
+      value += "; preload" if @config[:preload]
 
       value
     end

data/lib/secure_headers/version.rb

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "1.3.2"
+  VERSION = "1.3.3"
 end

data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb

@@ -10,6 +10,7 @@ module SecureHeaders
       specify { expect(StrictTransportSecurity.new(:max_age => '1234').value).to eq("max-age=1234")}
       specify { expect(StrictTransportSecurity.new(:max_age => 1234).value).to eq("max-age=1234")}
       specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains")}
+      specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")}
 
       context "with an invalid configuration" do
         context "with a hash argument" do

data/spec/lib/secure_headers_spec.rb

@@ -178,6 +178,11 @@ describe SecureHeaders do
       should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
       subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
     end
+
+    it "allows you to specify preload" do
+      should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")
+      subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true)
+    end
   end
 
   describe "#set_x_xss_protection" do

metadata

@@ -1,18 +1,20 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 1.3.2
+  version: 1.3.3
+  prerelease: 
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-08-13 00:00:00.000000000 Z
+date: 2014-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -20,6 +22,7 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -150,26 +153,27 @@ files:
 homepage: https://github.com/twitter/secureheaders
 licenses:
 - Apache Public License 2.0
-metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.1.1
+rubygems_version: 1.8.23
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: Add easily configured browser headers to responses including content security
   policy, x-frame-options, strict-transport-security and more.
 test_files:

checksums.yaml

@@ -1,15 +0,0 @@
----
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    OGRkYjRlNDU4ZTZjMWViMTM0NTlkZDc1ZDNmNjJkMjNlMGIzMDY5OA==
-  data.tar.gz: !binary |-
-    Y2Y0OGEwODAwNDZmMzNkNWYzYzJiNDAzZTdlZDE2YmYzNzQ5MDNhMA==
-SHA512:
-  metadata.gz: !binary |-
-    NGZmODE5M2ViNWJkZTRhMjRjYzEwNTRkZDkzMzdmOWQzMzdiYWU0OGM3ZGZl
-    Yjc0YjJmOTI4MWFiMTE2NGJlMDA4ZjA2YjY3YzAyMWU5ZDExMmEwZWM1ODVl
-    ZDllOGFlYTdhNjU1YjRlZjc1MjM4MjM5MDlmY2EwNzljNjU4OTA=
-  data.tar.gz: !binary |-
-    Y2UzZDgxNWFlMGQ3YmMwODY2OTQyNmVhZDU3YWQ5ODk3MDRjNWQwZTJhODMy
-    Njk2ODQyZjQ1MTA1YjZjMmMxZDM2YTcyOWE3ODIxN2Q1ZjQzNDQ3MmM3NGI2
-    YWU4NzZkZmQ3NWM1ZTNlZWI4NzIzMDFhZDZjODQ1MzhkMjlkMDk=