secure_headers 2.0.1 → 2.0.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
data/README.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# SecureHeaders [](http://travis-ci.org/twitter/secureheaders) [](https://codeclimate.com/github/twitter/secureheaders) [](https://coveralls.io/r/twitter/secureheaders)
|
|
2
2
|
|
|
3
3
|
The gem will automatically apply several headers that are related to security. This includes:
|
|
4
|
-
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP
|
|
4
|
+
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
|
|
5
5
|
- HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. [HSTS Specification](https://tools.ietf.org/html/rfc6797)
|
|
6
6
|
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
|
|
7
7
|
- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
|
|
@@ -31,7 +31,13 @@ module SecureHeaders
|
|
|
31
31
|
:reflected_xss
|
|
32
32
|
]
|
|
33
33
|
|
|
34
|
-
|
|
34
|
+
OTHER = [
|
|
35
|
+
:report_uri
|
|
36
|
+
]
|
|
37
|
+
|
|
38
|
+
SOURCE_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES
|
|
39
|
+
|
|
40
|
+
ALL_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES + OTHER
|
|
35
41
|
end
|
|
36
42
|
include Constants
|
|
37
43
|
|
|
@@ -102,7 +108,7 @@ module SecureHeaders
|
|
|
102
108
|
@config = config.inject({}) do |hash, (key, value)|
|
|
103
109
|
config_val = value.respond_to?(:call) ? value.call : value
|
|
104
110
|
|
|
105
|
-
if
|
|
111
|
+
if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
|
|
106
112
|
config_val = config_val.split if config_val.is_a? String
|
|
107
113
|
if config_val.is_a?(Array)
|
|
108
114
|
config_val = config_val.map do |val|
|
|
@@ -18,16 +18,10 @@ describe SecureHeaders do
|
|
|
18
18
|
allow(subject).to receive(:request).and_return(request)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection, :x_permitted_cross_domain_policies].map{|header| [header, false]}]
|
|
22
|
-
|
|
23
21
|
def stub_user_agent val
|
|
24
22
|
allow(request).to receive_message_chain(:env, :[]).and_return(val)
|
|
25
23
|
end
|
|
26
24
|
|
|
27
|
-
def options_for header
|
|
28
|
-
ALL_HEADERS.reject{|k,v| k == header}
|
|
29
|
-
end
|
|
30
|
-
|
|
31
25
|
def reset_config
|
|
32
26
|
::SecureHeaders::Configuration.configure do |config|
|
|
33
27
|
config.hsts = nil
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.
|
|
4
|
+
version: 2.0.2
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2015-
|
|
12
|
+
date: 2015-05-05 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rake
|