secure_headers 3.1.0 → 3.1.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +10 -0
  3. data/README.md +3 -0
  4. data/lib/secure_headers/configuration.rb +1 -0
  5. data/lib/secure_headers/headers/policy_management.rb +1 -0
  6. data/secure_headers.gemspec +1 -1
  7. data/spec/lib/secure_headers_spec.rb +1 -0
  8. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 7353ab86b76cba9baabc265f6321990163927fa0
4
- data.tar.gz: 8081e9d2a284a26191899317d1947cde24d80d9f
3
+ metadata.gz: e2df8c83dc908657d48aa5552696bade1374c288
4
+ data.tar.gz: 590bc0e2c9225ad3a330af1812babd6c129135d8
5
5
  SHA512:
6
- metadata.gz: 37fd3a8aca07d1ce46bd7cdaf89ddb057d41b94f2f41625287d9a3118d19300708fd33f9d5f029c341a9c80295848101f01558d3dfd370a7bba34c8862e710d6
7
- data.tar.gz: 0d810d24a48f53a45bec5621291475059e521d0d4f640bf1430ad6c86ecf020fea8dd8eb220e600b71c32539d7cfbc1f87567066477deebdf660d8a0161e2f8a
6
+ metadata.gz: f6b8665ddd8e15bfd9f9e5fe2d330e9e7e9cc1386813883613e295e6d114c072f8bb1713871fde12e9feb8a3df8f691b39477a9db8daeb90f49013ecf44e7b8d
7
+ data.tar.gz: 713914b24728468981c723801891e07eeee044f63d7eca97106ef0c0d0376cc0ed4a00ae49177c14d83a5ef445c1cb0b7d6e43472446042f6ee33201f99c2001
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ ## 3.1.1 Bug fix for regression
2
+
3
+ See https://github.com/twitter/secureheaders/pull/235
4
+
5
+ `idempotent_additions?` would return false when comparing `OPT_OUT` with `OPT_OUT`, causing `header_hash_for` to return a header cache with `{ nil => nil }` which cause the middleware to blow up when `{ nil => nil }` was merged into the rack header hash.
6
+
7
+ This is a regression in 3.1.0 only.
8
+
9
+ Now it returns true. I've added a test case to ensure that `header_hash_for` will never return such an element.
10
+
1
11
  ## 3.1.0 Adding secure cookie support
2
12
 
3
13
  New feature: marking all cookies as secure. Added by @jmera in https://github.com/twitter/secureheaders/pull/231. In the future, we'll probably add the ability to whitelist individual cookies that should not be marked secure. PRs welcome.
data/README.md CHANGED
@@ -15,6 +15,8 @@ The gem will automatically apply several headers that are related to security.
15
15
  - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
16
16
  - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
17
17
 
18
+ It can also mark all http cookies with the secure attribute (when configured to do so).
19
+
18
20
  `secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
19
21
 
20
22
  ## Use
@@ -29,6 +31,7 @@ All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT`
29
31
 
30
32
  ```ruby
31
33
  SecureHeaders::Configuration.default do |config|
34
+ config.secure_cookies = true # mark all cookies as "secure"
32
35
  config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
33
36
  config.x_frame_options = "DENY"
34
37
  config.x_content_type_options = "nosniff"
data/lib/secure_headers/configuration.rb CHANGED
@@ -71,6 +71,7 @@ module SecureHeaders
71
71
  ALL_HEADER_CLASSES.each do |klass|
72
72
  config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
73
73
  end
74
+ config.dynamic_csp = OPT_OUT
74
75
  end
75
76
 
76
77
  add_configuration(NOOP_CONFIGURATION, noop_config)
data/lib/secure_headers/headers/policy_management.rb CHANGED
@@ -196,6 +196,7 @@ module SecureHeaders
196
196
  # additions = { script_src: %w(google.com)} then idempotent_additions? would return
197
197
  # because google.com is already in the config.
198
198
  def idempotent_additions?(config, additions)
199
+ return true if config == OPT_OUT && additions == OPT_OUT
199
200
  return false if config == OPT_OUT
200
201
  config == combine_policies(config, additions)
201
202
  end
data/secure_headers.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.1.0"
4
+ gem.version = "3.1.1"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Security related headers all in one gem.'
data/spec/lib/secure_headers_spec.rb CHANGED
@@ -38,6 +38,7 @@ module SecureHeaders
38
38
  ALL_HEADER_CLASSES.each do |klass|
39
39
  expect(hash[klass::CONFIG_KEY]).to be_nil
40
40
  end
41
+ expect(hash.count).to eq(0)
41
42
  end
42
43
 
43
44
  it "allows you to override X-Frame-Options settings" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.0
4
+ version: 3.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall