secure_headers 3.6.0 → 3.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/.travis.yml +1 -0
- data/CHANGELOG.md +5 -0
- data/README.md +3 -1
- data/lib/secure_headers.rb +1 -1
- data/lib/secure_headers/configuration.rb +1 -1
- data/lib/secure_headers/headers/content_security_policy_config.rb +21 -12
- data/lib/secure_headers/headers/policy_management.rb +2 -2
- data/lib/secure_headers/headers/referrer_policy.rb +1 -1
- data/lib/secure_headers/headers/strict_transport_security.rb +1 -1
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -1
- data/lib/secure_headers/headers/x_download_options.rb +1 -1
- data/lib/secure_headers/headers/x_frame_options.rb +1 -1
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +1 -1
- data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
- data/secure_headers.gemspec +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4c6f04730011514076422fb3c43c8173c286c452
|
|
4
|
+
data.tar.gz: d78013640315208504a1187efabcf23fdabd750b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8ed1d507c2136e42138301e6ae6df82eb36f1271c4ebabda99d15adbb65cefab104a9f7bfe8057ec9c839bc69325da033694b5a8b2d7de75aabd07ffc3fd6933
|
|
7
|
+
data.tar.gz: aee29edfd5ce45c1e16239292cde0fd771699d71c623c938f7e3d34d56f4266c5a2e8cdb063b94c2629917c22508d96c3cd393d52df9e6e7f8807f7263cdf65b
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.
|
|
1
|
+
2.3.3
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -62,7 +62,8 @@ SecureHeaders::Configuration.default do |config|
|
|
|
62
62
|
lax: true # mark all cookies as SameSite=lax
|
|
63
63
|
}
|
|
64
64
|
}
|
|
65
|
-
|
|
65
|
+
# Add "; preload" and submit the site to hstspreload.org for best protection.
|
|
66
|
+
config.hsts = "max-age=#{20.years.to_i}; includeSubdomains"
|
|
66
67
|
config.x_frame_options = "DENY"
|
|
67
68
|
config.x_content_type_options = "nosniff"
|
|
68
69
|
config.x_xss_protection = "1; mode=block"
|
|
@@ -156,6 +157,7 @@ end
|
|
|
156
157
|
* Elixir [secure_headers](https://github.com/anotherhale/secure_headers)
|
|
157
158
|
* Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)
|
|
158
159
|
* Ember.js [ember-cli-content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy/)
|
|
160
|
+
* PHP [secure-headers](https://github.com/BePsvPT/secure-headers)
|
|
159
161
|
|
|
160
162
|
## License
|
|
161
163
|
|
data/lib/secure_headers.rb
CHANGED
|
@@ -177,7 +177,7 @@ module SecureHeaders
|
|
|
177
177
|
|
|
178
178
|
header_classes_for(request).each_with_object({}) do |klass, hash|
|
|
179
179
|
if header = headers[klass::CONFIG_KEY]
|
|
180
|
-
header_name, value = if
|
|
180
|
+
header_name, value = if klass == ContentSecurityPolicyConfig || klass == ContentSecurityPolicyReportOnlyConfig
|
|
181
181
|
csp_header_for_ua(header, user_agent)
|
|
182
182
|
else
|
|
183
183
|
header
|
|
@@ -262,7 +262,7 @@ module SecureHeaders
|
|
|
262
262
|
end
|
|
263
263
|
end
|
|
264
264
|
|
|
265
|
-
# Public: Precompute the header names and values for this
|
|
265
|
+
# Public: Precompute the header names and values for this configuration.
|
|
266
266
|
# Ensures that headers generated at configure time, not on demand.
|
|
267
267
|
#
|
|
268
268
|
# Returns the cached headers
|
|
@@ -6,12 +6,7 @@ module SecureHeaders
|
|
|
6
6
|
base.attrs.each do |attr|
|
|
7
7
|
base.send(:define_method, "#{attr}=") do |value|
|
|
8
8
|
if self.class.attrs.include?(attr)
|
|
9
|
-
|
|
10
|
-
prev_value = self.instance_variable_get("@#{attr}")
|
|
11
|
-
self.instance_variable_set("@#{attr}", value)
|
|
12
|
-
if prev_value != self.instance_variable_get("@#{attr}")
|
|
13
|
-
@modified = true
|
|
14
|
-
end
|
|
9
|
+
write_attribute(attr, value)
|
|
15
10
|
else
|
|
16
11
|
raise ContentSecurityPolicyConfigError, "Unknown config directive: #{attr}=#{value}"
|
|
17
12
|
end
|
|
@@ -52,8 +47,9 @@ module SecureHeaders
|
|
|
52
47
|
|
|
53
48
|
def to_h
|
|
54
49
|
self.class.attrs.each_with_object({}) do |key, hash|
|
|
55
|
-
|
|
56
|
-
|
|
50
|
+
value = self.send(key)
|
|
51
|
+
hash[key] = value unless value.nil?
|
|
52
|
+
end
|
|
57
53
|
end
|
|
58
54
|
|
|
59
55
|
def dup
|
|
@@ -73,14 +69,26 @@ module SecureHeaders
|
|
|
73
69
|
|
|
74
70
|
private
|
|
75
71
|
def from_hash(hash)
|
|
76
|
-
hash.
|
|
72
|
+
hash.each_pair do |k, v|
|
|
73
|
+
next if v.nil?
|
|
74
|
+
|
|
77
75
|
if self.class.attrs.include?(k)
|
|
78
|
-
|
|
76
|
+
write_attribute(k, v)
|
|
79
77
|
else
|
|
80
|
-
raise ContentSecurityPolicyConfigError, "Unknown config directive: #{k}=#{
|
|
78
|
+
raise ContentSecurityPolicyConfigError, "Unknown config directive: #{k}=#{v}"
|
|
81
79
|
end
|
|
82
80
|
end
|
|
83
81
|
end
|
|
82
|
+
|
|
83
|
+
def write_attribute(attr, value)
|
|
84
|
+
value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
|
|
85
|
+
attr_variable = "@#{attr}"
|
|
86
|
+
prev_value = self.instance_variable_get(attr_variable)
|
|
87
|
+
self.instance_variable_set(attr_variable, value)
|
|
88
|
+
if prev_value != value
|
|
89
|
+
@modified = true
|
|
90
|
+
end
|
|
91
|
+
end
|
|
84
92
|
end
|
|
85
93
|
|
|
86
94
|
class ContentSecurityPolicyConfigError < StandardError; end
|
|
@@ -88,8 +96,9 @@ module SecureHeaders
|
|
|
88
96
|
CONFIG_KEY = :csp
|
|
89
97
|
HEADER_NAME = "Content-Security-Policy".freeze
|
|
90
98
|
|
|
99
|
+
ATTRS = PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
|
|
91
100
|
def self.attrs
|
|
92
|
-
|
|
101
|
+
ATTRS
|
|
93
102
|
end
|
|
94
103
|
|
|
95
104
|
include DynamicConfig
|
|
@@ -109,7 +109,7 @@ module SecureHeaders
|
|
|
109
109
|
DIRECTIVES_2_0 + DIRECTIVES_DRAFT
|
|
110
110
|
).freeze
|
|
111
111
|
|
|
112
|
-
ALL_DIRECTIVES =
|
|
112
|
+
ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT).uniq.sort
|
|
113
113
|
|
|
114
114
|
# Think of default-src and report-uri as the beginning and end respectively,
|
|
115
115
|
# everything else is in between.
|
|
@@ -271,7 +271,7 @@ module SecureHeaders
|
|
|
271
271
|
# copy the default-src value to the original config. This modifies the original hash.
|
|
272
272
|
def populate_fetch_source_with_default!(original, additions)
|
|
273
273
|
# in case we would be appending to an empty directive, fill it with the default-src value
|
|
274
|
-
additions.
|
|
274
|
+
additions.each_key do |directive|
|
|
275
275
|
if !original[directive] && ((source_list?(directive) && FETCH_SOURCES.include?(directive)) || nonce_added?(original, additions))
|
|
276
276
|
if nonce_added?(original, additions)
|
|
277
277
|
inferred_directive = directive.to_s.gsub(/_nonce/, "_src").to_sym
|
|
@@ -2,7 +2,7 @@ module SecureHeaders
|
|
|
2
2
|
class STSConfigError < StandardError; end
|
|
3
3
|
|
|
4
4
|
class StrictTransportSecurity
|
|
5
|
-
HEADER_NAME = 'Strict-Transport-Security'
|
|
5
|
+
HEADER_NAME = 'Strict-Transport-Security'.freeze
|
|
6
6
|
HSTS_MAX_AGE = "631138519"
|
|
7
7
|
DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
|
|
8
8
|
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
|
|
@@ -2,7 +2,7 @@ module SecureHeaders
|
|
|
2
2
|
class XContentTypeOptionsConfigError < StandardError; end
|
|
3
3
|
|
|
4
4
|
class XContentTypeOptions
|
|
5
|
-
HEADER_NAME = "X-Content-Type-Options"
|
|
5
|
+
HEADER_NAME = "X-Content-Type-Options".freeze
|
|
6
6
|
DEFAULT_VALUE = "nosniff"
|
|
7
7
|
CONFIG_KEY = :x_content_type_options
|
|
8
8
|
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
module SecureHeaders
|
|
2
2
|
class XPCDPConfigError < StandardError; end
|
|
3
3
|
class XPermittedCrossDomainPolicies
|
|
4
|
-
HEADER_NAME = "X-Permitted-Cross-Domain-Policies"
|
|
4
|
+
HEADER_NAME = "X-Permitted-Cross-Domain-Policies".freeze
|
|
5
5
|
DEFAULT_VALUE = 'none'
|
|
6
6
|
VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
|
|
7
7
|
CONFIG_KEY = :x_permitted_cross_domain_policies
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
module SecureHeaders
|
|
2
2
|
class XXssProtectionConfigError < StandardError; end
|
|
3
3
|
class XXssProtection
|
|
4
|
-
HEADER_NAME = 'X-XSS-Protection'
|
|
4
|
+
HEADER_NAME = 'X-XSS-Protection'.freeze
|
|
5
5
|
DEFAULT_VALUE = "1; mode=block"
|
|
6
6
|
VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
|
|
7
7
|
CONFIG_KEY = :x_xss_protection
|
data/secure_headers.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.6.
|
|
4
|
+
gem.version = "3.6.1"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.6.
|
|
4
|
+
version: 3.6.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-01-
|
|
11
|
+
date: 2017-01-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -124,7 +124,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
124
124
|
version: '0'
|
|
125
125
|
requirements: []
|
|
126
126
|
rubyforge_project:
|
|
127
|
-
rubygems_version: 2.
|
|
127
|
+
rubygems_version: 2.5.2
|
|
128
128
|
signing_key:
|
|
129
129
|
specification_version: 4
|
|
130
130
|
summary: Add easily configured security headers to responses including content-security-policy,
|