secure_headers 3.1.0 → 3.1.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/README.md +3 -0
- data/lib/secure_headers/configuration.rb +1 -0
- data/lib/secure_headers/headers/policy_management.rb +1 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers_spec.rb +1 -0
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e2df8c83dc908657d48aa5552696bade1374c288
|
4
|
+
data.tar.gz: 590bc0e2c9225ad3a330af1812babd6c129135d8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f6b8665ddd8e15bfd9f9e5fe2d330e9e7e9cc1386813883613e295e6d114c072f8bb1713871fde12e9feb8a3df8f691b39477a9db8daeb90f49013ecf44e7b8d
|
7
|
+
data.tar.gz: 713914b24728468981c723801891e07eeee044f63d7eca97106ef0c0d0376cc0ed4a00ae49177c14d83a5ef445c1cb0b7d6e43472446042f6ee33201f99c2001
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,13 @@
|
|
1
|
+
## 3.1.1 Bug fix for regression
|
2
|
+
|
3
|
+
See https://github.com/twitter/secureheaders/pull/235
|
4
|
+
|
5
|
+
`idempotent_additions?` would return false when comparing `OPT_OUT` with `OPT_OUT`, causing `header_hash_for` to return a header cache with `{ nil => nil }` which cause the middleware to blow up when `{ nil => nil }` was merged into the rack header hash.
|
6
|
+
|
7
|
+
This is a regression in 3.1.0 only.
|
8
|
+
|
9
|
+
Now it returns true. I've added a test case to ensure that `header_hash_for` will never return such an element.
|
10
|
+
|
1
11
|
## 3.1.0 Adding secure cookie support
|
2
12
|
|
3
13
|
New feature: marking all cookies as secure. Added by @jmera in https://github.com/twitter/secureheaders/pull/231. In the future, we'll probably add the ability to whitelist individual cookies that should not be marked secure. PRs welcome.
|
data/README.md
CHANGED
@@ -15,6 +15,8 @@ The gem will automatically apply several headers that are related to security.
|
|
15
15
|
- X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
|
16
16
|
- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
|
17
17
|
|
18
|
+
It can also mark all http cookies with the secure attribute (when configured to do so).
|
19
|
+
|
18
20
|
`secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
|
19
21
|
|
20
22
|
## Use
|
@@ -29,6 +31,7 @@ All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT`
|
|
29
31
|
|
30
32
|
```ruby
|
31
33
|
SecureHeaders::Configuration.default do |config|
|
34
|
+
config.secure_cookies = true # mark all cookies as "secure"
|
32
35
|
config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
|
33
36
|
config.x_frame_options = "DENY"
|
34
37
|
config.x_content_type_options = "nosniff"
|
@@ -196,6 +196,7 @@ module SecureHeaders
|
|
196
196
|
# additions = { script_src: %w(google.com)} then idempotent_additions? would return
|
197
197
|
# because google.com is already in the config.
|
198
198
|
def idempotent_additions?(config, additions)
|
199
|
+
return true if config == OPT_OUT && additions == OPT_OUT
|
199
200
|
return false if config == OPT_OUT
|
200
201
|
config == combine_policies(config, additions)
|
201
202
|
end
|
data/secure_headers.gemspec
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "secure_headers"
|
4
|
-
gem.version = "3.1.
|
4
|
+
gem.version = "3.1.1"
|
5
5
|
gem.authors = ["Neil Matatall"]
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|