secure_headers 2.4.3 → 2.4.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/README.md +1 -1
- data/lib/secure_headers.rb +7 -5
- data/lib/secure_headers/version.rb +1 -1
- data/spec/lib/secure_headers_spec.rb +18 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 72789dc25f6714e7bb64fc9b4255d1b0cbcb2ccf
|
|
4
|
+
data.tar.gz: 0a0e505e9f9ebed4807e3a8a52c160e630f4a1ae
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 96717b49d93a916952b139b50eec64df0f056ec59168c6abddb73b33893966d5309e8a956374ab55730a831288ca2c44dad3f49bef7f27ec6b2168be0881f778
|
|
7
|
+
data.tar.gz: 0615cef78d2724fd5cab650f9da4ee008443f1d2111e2065ffa4b04c43db2535c5d567687163e92f606d0c290b87a1a55df537e8c2328582b412f064be07f87e
|
data/README.md
CHANGED
|
@@ -8,7 +8,7 @@ The gem will automatically apply several headers that are related to security.
|
|
|
8
8
|
- X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
|
|
9
9
|
- X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
|
|
10
10
|
- X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
|
|
11
|
-
- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key
|
|
11
|
+
- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
|
|
12
12
|
|
|
13
13
|
## Usage
|
|
14
14
|
|
data/lib/secure_headers.rb
CHANGED
|
@@ -52,21 +52,23 @@ module SecureHeaders
|
|
|
52
52
|
|
|
53
53
|
def header_hash(options = nil)
|
|
54
54
|
ALL_HEADER_CLASSES.inject({}) do |memo, klass|
|
|
55
|
-
|
|
55
|
+
# must use !options[key].nil? because 'false' represents opting out, nil
|
|
56
|
+
# represents use global default.
|
|
57
|
+
config = if options.is_a?(Hash) && !options[klass::Constants::CONFIG_KEY].nil?
|
|
56
58
|
options[klass::Constants::CONFIG_KEY]
|
|
57
59
|
else
|
|
58
60
|
::SecureHeaders::Configuration.send(klass::Constants::CONFIG_KEY)
|
|
59
61
|
end
|
|
60
62
|
|
|
61
63
|
unless klass == SecureHeaders::PublicKeyPins && !config.is_a?(Hash)
|
|
62
|
-
header = get_a_header(klass
|
|
63
|
-
memo[header.name] = header.value
|
|
64
|
+
header = get_a_header(klass, config)
|
|
65
|
+
memo[header.name] = header.value if header
|
|
64
66
|
end
|
|
65
67
|
memo
|
|
66
68
|
end
|
|
67
69
|
end
|
|
68
70
|
|
|
69
|
-
def get_a_header(
|
|
71
|
+
def get_a_header(klass, options)
|
|
70
72
|
return if options == false
|
|
71
73
|
klass.new(options)
|
|
72
74
|
end
|
|
@@ -210,7 +212,7 @@ module SecureHeaders
|
|
|
210
212
|
def set_a_header(name, klass, options=nil)
|
|
211
213
|
options = secure_header_options_for(name, options)
|
|
212
214
|
return if options == false
|
|
213
|
-
set_header(SecureHeaders::get_a_header(
|
|
215
|
+
set_header(SecureHeaders::get_a_header(klass, options))
|
|
214
216
|
end
|
|
215
217
|
|
|
216
218
|
def set_header(name_or_header, value=nil)
|
|
@@ -8,6 +8,7 @@ describe SecureHeaders do
|
|
|
8
8
|
let(:request) {double(:ssl? => true, :url => 'https://example.com')}
|
|
9
9
|
|
|
10
10
|
before(:each) do
|
|
11
|
+
reset_config
|
|
11
12
|
stub_user_agent(nil)
|
|
12
13
|
allow(headers).to receive(:[])
|
|
13
14
|
allow(subject).to receive(:response).and_return(response)
|
|
@@ -171,6 +172,23 @@ describe SecureHeaders do
|
|
|
171
172
|
expect_default_values(hash)
|
|
172
173
|
end
|
|
173
174
|
|
|
175
|
+
it "allows opting out" do
|
|
176
|
+
hash = SecureHeaders::header_hash(:csp => false, :hpkp => false)
|
|
177
|
+
expect(hash['Content-Security-Policy-Report-Only']).to be_nil
|
|
178
|
+
expect(hash['Content-Security-Policy']).to be_nil
|
|
179
|
+
end
|
|
180
|
+
|
|
181
|
+
it "allows opting out with config" do
|
|
182
|
+
::SecureHeaders::Configuration.configure do |config|
|
|
183
|
+
config.hsts = false
|
|
184
|
+
config.csp = false
|
|
185
|
+
end
|
|
186
|
+
|
|
187
|
+
hash = SecureHeaders::header_hash
|
|
188
|
+
expect(hash['Content-Security-Policy-Report-Only']).to be_nil
|
|
189
|
+
expect(hash['Content-Security-Policy']).to be_nil
|
|
190
|
+
end
|
|
191
|
+
|
|
174
192
|
it "produces a hash with a mix of config values, override values, and default values" do
|
|
175
193
|
::SecureHeaders::Configuration.configure do |config|
|
|
176
194
|
config.hsts = { :max_age => '123456'}
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.4.
|
|
4
|
+
version: 2.4.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-12-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|