secure_headers 2.4.3 → 2.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/README.md +1 -1
- data/lib/secure_headers.rb +7 -5
- data/lib/secure_headers/version.rb +1 -1
- data/spec/lib/secure_headers_spec.rb +18 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 72789dc25f6714e7bb64fc9b4255d1b0cbcb2ccf
|
|
4
|
+
data.tar.gz: 0a0e505e9f9ebed4807e3a8a52c160e630f4a1ae
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 96717b49d93a916952b139b50eec64df0f056ec59168c6abddb73b33893966d5309e8a956374ab55730a831288ca2c44dad3f49bef7f27ec6b2168be0881f778
|
|
7
|
+
data.tar.gz: 0615cef78d2724fd5cab650f9da4ee008443f1d2111e2065ffa4b04c43db2535c5d567687163e92f606d0c290b87a1a55df537e8c2328582b412f064be07f87e
|
data/README.md
CHANGED
|
@@ -8,7 +8,7 @@ The gem will automatically apply several headers that are related to security.
|
|
|
8
8
|
- X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
|
|
9
9
|
- X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
|
|
10
10
|
- X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
|
|
11
|
-
- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key
|
|
11
|
+
- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
|
|
12
12
|
|
|
13
13
|
## Usage
|
|
14
14
|
|
data/lib/secure_headers.rb
CHANGED
|
@@ -52,21 +52,23 @@ module SecureHeaders
|
|
|
52
52
|
|
|
53
53
|
def header_hash(options = nil)
|
|
54
54
|
ALL_HEADER_CLASSES.inject({}) do |memo, klass|
|
|
55
|
-
|
|
55
|
+
# must use !options[key].nil? because 'false' represents opting out, nil
|
|
56
|
+
# represents use global default.
|
|
57
|
+
config = if options.is_a?(Hash) && !options[klass::Constants::CONFIG_KEY].nil?
|
|
56
58
|
options[klass::Constants::CONFIG_KEY]
|
|
57
59
|
else
|
|
58
60
|
::SecureHeaders::Configuration.send(klass::Constants::CONFIG_KEY)
|
|
59
61
|
end
|
|
60
62
|
|
|
61
63
|
unless klass == SecureHeaders::PublicKeyPins && !config.is_a?(Hash)
|
|
62
|
-
header = get_a_header(klass
|
|
63
|
-
memo[header.name] = header.value
|
|
64
|
+
header = get_a_header(klass, config)
|
|
65
|
+
memo[header.name] = header.value if header
|
|
64
66
|
end
|
|
65
67
|
memo
|
|
66
68
|
end
|
|
67
69
|
end
|
|
68
70
|
|
|
69
|
-
def get_a_header(
|
|
71
|
+
def get_a_header(klass, options)
|
|
70
72
|
return if options == false
|
|
71
73
|
klass.new(options)
|
|
72
74
|
end
|
|
@@ -210,7 +212,7 @@ module SecureHeaders
|
|
|
210
212
|
def set_a_header(name, klass, options=nil)
|
|
211
213
|
options = secure_header_options_for(name, options)
|
|
212
214
|
return if options == false
|
|
213
|
-
set_header(SecureHeaders::get_a_header(
|
|
215
|
+
set_header(SecureHeaders::get_a_header(klass, options))
|
|
214
216
|
end
|
|
215
217
|
|
|
216
218
|
def set_header(name_or_header, value=nil)
|
|
@@ -8,6 +8,7 @@ describe SecureHeaders do
|
|
|
8
8
|
let(:request) {double(:ssl? => true, :url => 'https://example.com')}
|
|
9
9
|
|
|
10
10
|
before(:each) do
|
|
11
|
+
reset_config
|
|
11
12
|
stub_user_agent(nil)
|
|
12
13
|
allow(headers).to receive(:[])
|
|
13
14
|
allow(subject).to receive(:response).and_return(response)
|
|
@@ -171,6 +172,23 @@ describe SecureHeaders do
|
|
|
171
172
|
expect_default_values(hash)
|
|
172
173
|
end
|
|
173
174
|
|
|
175
|
+
it "allows opting out" do
|
|
176
|
+
hash = SecureHeaders::header_hash(:csp => false, :hpkp => false)
|
|
177
|
+
expect(hash['Content-Security-Policy-Report-Only']).to be_nil
|
|
178
|
+
expect(hash['Content-Security-Policy']).to be_nil
|
|
179
|
+
end
|
|
180
|
+
|
|
181
|
+
it "allows opting out with config" do
|
|
182
|
+
::SecureHeaders::Configuration.configure do |config|
|
|
183
|
+
config.hsts = false
|
|
184
|
+
config.csp = false
|
|
185
|
+
end
|
|
186
|
+
|
|
187
|
+
hash = SecureHeaders::header_hash
|
|
188
|
+
expect(hash['Content-Security-Policy-Report-Only']).to be_nil
|
|
189
|
+
expect(hash['Content-Security-Policy']).to be_nil
|
|
190
|
+
end
|
|
191
|
+
|
|
174
192
|
it "produces a hash with a mix of config values, override values, and default values" do
|
|
175
193
|
::SecureHeaders::Configuration.configure do |config|
|
|
176
194
|
config.hsts = { :max_age => '123456'}
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.4.
|
|
4
|
+
version: 2.4.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-12-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|