secure_headers 3.6.0 → 3.6.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/.travis.yml +1 -0
- data/CHANGELOG.md +5 -0
- data/README.md +3 -1
- data/lib/secure_headers.rb +1 -1
- data/lib/secure_headers/configuration.rb +1 -1
- data/lib/secure_headers/headers/content_security_policy_config.rb +21 -12
- data/lib/secure_headers/headers/policy_management.rb +2 -2
- data/lib/secure_headers/headers/referrer_policy.rb +1 -1
- data/lib/secure_headers/headers/strict_transport_security.rb +1 -1
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -1
- data/lib/secure_headers/headers/x_download_options.rb +1 -1
- data/lib/secure_headers/headers/x_frame_options.rb +1 -1
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +1 -1
- data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
- data/secure_headers.gemspec +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4c6f04730011514076422fb3c43c8173c286c452
|
|
4
|
+
data.tar.gz: d78013640315208504a1187efabcf23fdabd750b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8ed1d507c2136e42138301e6ae6df82eb36f1271c4ebabda99d15adbb65cefab104a9f7bfe8057ec9c839bc69325da033694b5a8b2d7de75aabd07ffc3fd6933
|
|
7
|
+
data.tar.gz: aee29edfd5ce45c1e16239292cde0fd771699d71c623c938f7e3d34d56f4266c5a2e8cdb063b94c2629917c22508d96c3cd393d52df9e6e7f8807f7263cdf65b
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.
|
|
1
|
+
2.3.3
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -62,7 +62,8 @@ SecureHeaders::Configuration.default do |config|
|
|
|
62
62
|
lax: true # mark all cookies as SameSite=lax
|
|
63
63
|
}
|
|
64
64
|
}
|
|
65
|
-
|
|
65
|
+
# Add "; preload" and submit the site to hstspreload.org for best protection.
|
|
66
|
+
config.hsts = "max-age=#{20.years.to_i}; includeSubdomains"
|
|
66
67
|
config.x_frame_options = "DENY"
|
|
67
68
|
config.x_content_type_options = "nosniff"
|
|
68
69
|
config.x_xss_protection = "1; mode=block"
|
|
@@ -156,6 +157,7 @@ end
|
|
|
156
157
|
* Elixir [secure_headers](https://github.com/anotherhale/secure_headers)
|
|
157
158
|
* Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)
|
|
158
159
|
* Ember.js [ember-cli-content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy/)
|
|
160
|
+
* PHP [secure-headers](https://github.com/BePsvPT/secure-headers)
|
|
159
161
|
|
|
160
162
|
## License
|
|
161
163
|
|
data/lib/secure_headers.rb
CHANGED
|
@@ -177,7 +177,7 @@ module SecureHeaders
|
|
|
177
177
|
|
|
178
178
|
header_classes_for(request).each_with_object({}) do |klass, hash|
|
|
179
179
|
if header = headers[klass::CONFIG_KEY]
|
|
180
|
-
header_name, value = if
|
|
180
|
+
header_name, value = if klass == ContentSecurityPolicyConfig || klass == ContentSecurityPolicyReportOnlyConfig
|
|
181
181
|
csp_header_for_ua(header, user_agent)
|
|
182
182
|
else
|
|
183
183
|
header
|
|
@@ -262,7 +262,7 @@ module SecureHeaders
|
|
|
262
262
|
end
|
|
263
263
|
end
|
|
264
264
|
|
|
265
|
-
# Public: Precompute the header names and values for this
|
|
265
|
+
# Public: Precompute the header names and values for this configuration.
|
|
266
266
|
# Ensures that headers generated at configure time, not on demand.
|
|
267
267
|
#
|
|
268
268
|
# Returns the cached headers
|
|
@@ -6,12 +6,7 @@ module SecureHeaders
|
|
|
6
6
|
base.attrs.each do |attr|
|
|
7
7
|
base.send(:define_method, "#{attr}=") do |value|
|
|
8
8
|
if self.class.attrs.include?(attr)
|
|
9
|
-
|
|
10
|
-
prev_value = self.instance_variable_get("@#{attr}")
|
|
11
|
-
self.instance_variable_set("@#{attr}", value)
|
|
12
|
-
if prev_value != self.instance_variable_get("@#{attr}")
|
|
13
|
-
@modified = true
|
|
14
|
-
end
|
|
9
|
+
write_attribute(attr, value)
|
|
15
10
|
else
|
|
16
11
|
raise ContentSecurityPolicyConfigError, "Unknown config directive: #{attr}=#{value}"
|
|
17
12
|
end
|
|
@@ -52,8 +47,9 @@ module SecureHeaders
|
|
|
52
47
|
|
|
53
48
|
def to_h
|
|
54
49
|
self.class.attrs.each_with_object({}) do |key, hash|
|
|
55
|
-
|
|
56
|
-
|
|
50
|
+
value = self.send(key)
|
|
51
|
+
hash[key] = value unless value.nil?
|
|
52
|
+
end
|
|
57
53
|
end
|
|
58
54
|
|
|
59
55
|
def dup
|
|
@@ -73,14 +69,26 @@ module SecureHeaders
|
|
|
73
69
|
|
|
74
70
|
private
|
|
75
71
|
def from_hash(hash)
|
|
76
|
-
hash.
|
|
72
|
+
hash.each_pair do |k, v|
|
|
73
|
+
next if v.nil?
|
|
74
|
+
|
|
77
75
|
if self.class.attrs.include?(k)
|
|
78
|
-
|
|
76
|
+
write_attribute(k, v)
|
|
79
77
|
else
|
|
80
|
-
raise ContentSecurityPolicyConfigError, "Unknown config directive: #{k}=#{
|
|
78
|
+
raise ContentSecurityPolicyConfigError, "Unknown config directive: #{k}=#{v}"
|
|
81
79
|
end
|
|
82
80
|
end
|
|
83
81
|
end
|
|
82
|
+
|
|
83
|
+
def write_attribute(attr, value)
|
|
84
|
+
value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
|
|
85
|
+
attr_variable = "@#{attr}"
|
|
86
|
+
prev_value = self.instance_variable_get(attr_variable)
|
|
87
|
+
self.instance_variable_set(attr_variable, value)
|
|
88
|
+
if prev_value != value
|
|
89
|
+
@modified = true
|
|
90
|
+
end
|
|
91
|
+
end
|
|
84
92
|
end
|
|
85
93
|
|
|
86
94
|
class ContentSecurityPolicyConfigError < StandardError; end
|
|
@@ -88,8 +96,9 @@ module SecureHeaders
|
|
|
88
96
|
CONFIG_KEY = :csp
|
|
89
97
|
HEADER_NAME = "Content-Security-Policy".freeze
|
|
90
98
|
|
|
99
|
+
ATTRS = PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
|
|
91
100
|
def self.attrs
|
|
92
|
-
|
|
101
|
+
ATTRS
|
|
93
102
|
end
|
|
94
103
|
|
|
95
104
|
include DynamicConfig
|
|
@@ -109,7 +109,7 @@ module SecureHeaders
|
|
|
109
109
|
DIRECTIVES_2_0 + DIRECTIVES_DRAFT
|
|
110
110
|
).freeze
|
|
111
111
|
|
|
112
|
-
ALL_DIRECTIVES =
|
|
112
|
+
ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT).uniq.sort
|
|
113
113
|
|
|
114
114
|
# Think of default-src and report-uri as the beginning and end respectively,
|
|
115
115
|
# everything else is in between.
|
|
@@ -271,7 +271,7 @@ module SecureHeaders
|
|
|
271
271
|
# copy the default-src value to the original config. This modifies the original hash.
|
|
272
272
|
def populate_fetch_source_with_default!(original, additions)
|
|
273
273
|
# in case we would be appending to an empty directive, fill it with the default-src value
|
|
274
|
-
additions.
|
|
274
|
+
additions.each_key do |directive|
|
|
275
275
|
if !original[directive] && ((source_list?(directive) && FETCH_SOURCES.include?(directive)) || nonce_added?(original, additions))
|
|
276
276
|
if nonce_added?(original, additions)
|
|
277
277
|
inferred_directive = directive.to_s.gsub(/_nonce/, "_src").to_sym
|
|
@@ -2,7 +2,7 @@ module SecureHeaders
|
|
|
2
2
|
class STSConfigError < StandardError; end
|
|
3
3
|
|
|
4
4
|
class StrictTransportSecurity
|
|
5
|
-
HEADER_NAME = 'Strict-Transport-Security'
|
|
5
|
+
HEADER_NAME = 'Strict-Transport-Security'.freeze
|
|
6
6
|
HSTS_MAX_AGE = "631138519"
|
|
7
7
|
DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
|
|
8
8
|
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
|
|
@@ -2,7 +2,7 @@ module SecureHeaders
|
|
|
2
2
|
class XContentTypeOptionsConfigError < StandardError; end
|
|
3
3
|
|
|
4
4
|
class XContentTypeOptions
|
|
5
|
-
HEADER_NAME = "X-Content-Type-Options"
|
|
5
|
+
HEADER_NAME = "X-Content-Type-Options".freeze
|
|
6
6
|
DEFAULT_VALUE = "nosniff"
|
|
7
7
|
CONFIG_KEY = :x_content_type_options
|
|
8
8
|
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
module SecureHeaders
|
|
2
2
|
class XPCDPConfigError < StandardError; end
|
|
3
3
|
class XPermittedCrossDomainPolicies
|
|
4
|
-
HEADER_NAME = "X-Permitted-Cross-Domain-Policies"
|
|
4
|
+
HEADER_NAME = "X-Permitted-Cross-Domain-Policies".freeze
|
|
5
5
|
DEFAULT_VALUE = 'none'
|
|
6
6
|
VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
|
|
7
7
|
CONFIG_KEY = :x_permitted_cross_domain_policies
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
module SecureHeaders
|
|
2
2
|
class XXssProtectionConfigError < StandardError; end
|
|
3
3
|
class XXssProtection
|
|
4
|
-
HEADER_NAME = 'X-XSS-Protection'
|
|
4
|
+
HEADER_NAME = 'X-XSS-Protection'.freeze
|
|
5
5
|
DEFAULT_VALUE = "1; mode=block"
|
|
6
6
|
VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
|
|
7
7
|
CONFIG_KEY = :x_xss_protection
|
data/secure_headers.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.6.
|
|
4
|
+
gem.version = "3.6.1"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.6.
|
|
4
|
+
version: 3.6.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-01-
|
|
11
|
+
date: 2017-01-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -124,7 +124,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
124
124
|
version: '0'
|
|
125
125
|
requirements: []
|
|
126
126
|
rubyforge_project:
|
|
127
|
-
rubygems_version: 2.
|
|
127
|
+
rubygems_version: 2.5.2
|
|
128
128
|
signing_key:
|
|
129
129
|
specification_version: 4
|
|
130
130
|
summary: Add easily configured security headers to responses including content-security-policy,
|