secure_headers 4.0.2 → 5.0.0.alpha01

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: bf4c1585c657ad3812d124ed506030b900eb3778
4
- data.tar.gz: afe30fa230c2e34ef8c9d253210e918dd8412f11
3
+ metadata.gz: 2e6ac6e6f7a69c5fef2f3a357feaff630fc394c0
4
+ data.tar.gz: 218e2ea09bc6a88370be9ad4930764cd94cc5f08
5
5
  SHA512:
6
- metadata.gz: cc3230d801ffffbb1ddb892721b54aa54bba40c0785edaa399754f10d61e3870d385710ad722754dd604922807eb5fc8aece7abfc89a75c8f4f1c9dfb1467d04
7
- data.tar.gz: 11736ff26de3b9a5ada127edc1a8e32c25a0f75269109de5d60d19dc5dc28932f2bdfc9a44c4f1c13f4a44eee4759bcc8dfe4e08a4a600bc78042767f139489b
6
+ metadata.gz: 0a2a38ec3dd215d754ea66cefeb96482fb0d2d35edf2fa13fbadd600a962b612b172b400425a7fb44304c200f9a79b7042893dfce82f48ea30734028773c205d
7
+ data.tar.gz: 5cff176050f3790236e65aec87c6f66e98adb473abcd608d3fe4eed0e587f1c7880dbc8c31735d2e3c39c766d8d4bf7a3b4df9e16673f66ab4970f4cb97e410a
data/CHANGELOG.md CHANGED
@@ -1,6 +1,6 @@
1
- ## 4.0.2
1
+ ## 5.0.0
2
2
 
3
- - Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec.
3
+ Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](docs/upgrading-to-5-0.md) guide.
4
4
 
5
5
  ## 4.0.1
6
6
 
@@ -8,7 +8,7 @@
8
8
 
9
9
  ## 4.0
10
10
 
11
- - See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
11
+ - See the [upgrading to 4.0](docs/upgrading-to-4-0.md) guide. Lots of breaking changes.
12
12
 
13
13
  ## 3.7.2
14
14
 
@@ -326,7 +326,7 @@ Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (a
326
326
 
327
327
  ## 3.0.0
328
328
 
329
- secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
329
+ secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
330
330
 
331
331
  ## 2.5.1 - 2016-02-16 18:11:11 UTC - Remove noisy deprecation warning
332
332
 
data/README.md CHANGED
@@ -1,8 +1,8 @@
1
1
  # Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
2
2
 
3
- **master represents the unreleased 4.x line**. See the [upgrading to 4.x doc](upgrading-to-4-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
3
+ **master represents 5.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md) and [upgrading to 5.x doc](docs/upgrading-to-5-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
4
4
 
5
- **The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
5
+ **The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
6
6
 
7
7
  **The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
8
8
 
@@ -22,7 +22,7 @@ The gem will automatically apply several headers that are related to security.
22
22
  - Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
23
23
  - Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
24
24
 
25
- It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
25
+ It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using `config.cookies = SecureHeaders::OPT_OUT`.
26
26
 
27
27
  `secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
28
28
 
@@ -55,7 +55,7 @@ If you do not supply a `default` configuration, exceptions will be raised. If yo
55
55
 
56
56
  All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely.
57
57
 
58
- **Word of caution:** The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
58
+ **Word of caution:** The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
59
59
 
60
60
  ```ruby
61
61
  SecureHeaders::Configuration.default do |config|
File without changes
@@ -1,26 +1,6 @@
1
- ### Breaking Changes
2
-
3
- The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break. This should not break brand new projects using secure_headers either.
4
-
5
- ## All cookies default to secure/httponly/SameSite=Lax
6
-
7
- By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
8
-
9
- ```ruby
10
- # specific opt outs
11
- config.cookies = {
12
- secure: SecureHeaders::OPT_OUT,
13
- httponly: SecureHeaders::OPT_OUT,
14
- samesite: SecureHeaders::OPT_OUT,
15
- }
16
-
17
- # nuclear option, just make things work again
18
- config.cookies = SecureHeaders::OPT_OUT
19
- ```
20
-
21
1
  ## script_src must be set
22
2
 
23
- Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
3
+ Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
24
4
 
25
5
  However, sometimes you really don't need a `script-src` e.g. API responses (`default-src 'none'`) so you can set `script_src: SecureHeaders::OPT_OUT` to work around this.
26
6
 
@@ -0,0 +1,15 @@
1
+ ## All cookies default to secure/httponly/SameSite=Lax
2
+
3
+ By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
4
+
5
+ ```ruby
6
+ # specific opt outs
7
+ config.cookies = {
8
+ secure: SecureHeaders::OPT_OUT,
9
+ httponly: SecureHeaders::OPT_OUT,
10
+ samesite: SecureHeaders::OPT_OUT,
11
+ }
12
+
13
+ # nuclear option, just make things work again
14
+ config.cookies = SecureHeaders::OPT_OUT
15
+ ```
@@ -132,7 +132,7 @@ module SecureHeaders
132
132
  end
133
133
 
134
134
  def initialize(&block)
135
- @cookies = nil
135
+ @cookies = self.class.send(:deep_copy_if_hash, Cookie::COOKIE_DEFAULTS)
136
136
  @clear_site_data = nil
137
137
  @csp = nil
138
138
  @csp_report_only = nil
@@ -49,7 +49,7 @@ module SecureHeaders
49
49
  enforced_directive,
50
50
  max_age_directive,
51
51
  report_uri_directive
52
- ].compact.join(", ").strip
52
+ ].compact.join("; ").strip
53
53
  end
54
54
 
55
55
  def enforced_directive
@@ -17,7 +17,7 @@ module SecureHeaders
17
17
  Kernel.warn(HPKP_SAME_HOST_WARNING)
18
18
  end
19
19
 
20
- flag_cookies!(headers, override_secure(env, config.cookies)) if config.cookies
20
+ flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
21
21
  headers.merge!(SecureHeaders.header_hash_for(req))
22
22
  [status, headers, response]
23
23
  end
@@ -2,7 +2,7 @@
2
2
  # frozen_string_literal: true
3
3
  Gem::Specification.new do |gem|
4
4
  gem.name = "secure_headers"
5
- gem.version = "4.0.2"
5
+ gem.version = "5.0.0.alpha01"
6
6
  gem.authors = ["Neil Matatall"]
7
7
  gem.email = ["neil.matatall@gmail.com"]
8
8
  gem.description = "Manages application of security headers with many safe defaults."
@@ -22,7 +22,7 @@ Gem::Specification.new do |gem|
22
22
  gem.post_install_message = <<-POST_INSTALL
23
23
 
24
24
  **********
25
- :wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
25
+ :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
26
26
  **********
27
27
 
28
28
  POST_INSTALL
@@ -91,5 +91,27 @@ module SecureHeaders
91
91
  end
92
92
  }.to raise_error(ArgumentError)
93
93
  end
94
+
95
+ it "gives cookies a default config" do
96
+ expect(Configuration.default.cookies).to eq({httponly: true, secure: true, samesite: {lax: true}})
97
+ end
98
+
99
+ it "allows OPT_OUT" do
100
+ Configuration.default do |config|
101
+ config.cookies = OPT_OUT
102
+ end
103
+
104
+ config = Configuration.get
105
+ expect(config.cookies).to eq(OPT_OUT)
106
+ end
107
+
108
+ it "allows me to be explicit too" do
109
+ Configuration.default do |config|
110
+ config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
111
+ end
112
+
113
+ config = Configuration.get
114
+ expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
115
+ end
94
116
  end
95
117
  end
@@ -3,13 +3,13 @@ require "spec_helper"
3
3
 
4
4
  module SecureHeaders
5
5
  describe ExpectCertificateTransparency do
6
- specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce, max-age=1234") }
6
+ specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce; max-age=1234") }
7
7
  specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: false).value).to eq("max-age=1234") }
8
8
  specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: "yolocopter").value).to eq("max-age=1234") }
9
- specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"") }
9
+ specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234; report-uri=\"https://report-uri.io/expect-ct\"") }
10
10
  specify do
11
11
  config = { enforce: true, max_age: 1234, report_uri: "https://report-uri.io/expect-ct" }
12
- header_value = "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\""
12
+ header_value = "enforce; max-age=1234; report-uri=\"https://report-uri.io/expect-ct\""
13
13
  expect(ExpectCertificateTransparency.new(config).value).to eq(header_value)
14
14
  end
15
15
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.0.2
4
+ version: 5.0.0.alpha01
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-10-19 00:00:00.000000000 Z
11
+ date: 2017-10-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -67,6 +67,9 @@ files:
67
67
  - docs/named_overrides_and_appends.md
68
68
  - docs/per_action_configuration.md
69
69
  - docs/sinatra.md
70
+ - docs/upgrading-to-3-0.md
71
+ - docs/upgrading-to-4-0.md
72
+ - docs/upgrading-to-5-0.md
70
73
  - lib/secure_headers.rb
71
74
  - lib/secure_headers/configuration.rb
72
75
  - lib/secure_headers/hash_helper.rb
@@ -94,7 +97,7 @@ files:
94
97
  - spec/lib/secure_headers/headers/clear_site_data_spec.rb
95
98
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
96
99
  - spec/lib/secure_headers/headers/cookie_spec.rb
97
- - spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
100
+ - spec/lib/secure_headers/headers/expect_certificate_spec.rb
98
101
  - spec/lib/secure_headers/headers/policy_management_spec.rb
99
102
  - spec/lib/secure_headers/headers/public_key_pins_spec.rb
100
103
  - spec/lib/secure_headers/headers/referrer_policy_spec.rb
@@ -108,8 +111,6 @@ files:
108
111
  - spec/lib/secure_headers/view_helpers_spec.rb
109
112
  - spec/lib/secure_headers_spec.rb
110
113
  - spec/spec_helper.rb
111
- - upgrading-to-3-0.md
112
- - upgrading-to-4-0.md
113
114
  homepage: https://github.com/twitter/secureheaders
114
115
  licenses:
115
116
  - Apache Public License 2.0
@@ -117,7 +118,7 @@ metadata: {}
117
118
  post_install_message: |2+
118
119
 
119
120
  **********
120
- :wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
121
+ :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
121
122
  **********
122
123
 
123
124
  rdoc_options: []
@@ -130,9 +131,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
130
131
  version: '0'
131
132
  required_rubygems_version: !ruby/object:Gem::Requirement
132
133
  requirements:
133
- - - ">="
134
+ - - ">"
134
135
  - !ruby/object:Gem::Version
135
- version: '0'
136
+ version: 1.3.1
136
137
  requirements: []
137
138
  rubyforge_project:
138
139
  rubygems_version: 2.6.11
@@ -145,7 +146,7 @@ test_files:
145
146
  - spec/lib/secure_headers/headers/clear_site_data_spec.rb
146
147
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
147
148
  - spec/lib/secure_headers/headers/cookie_spec.rb
148
- - spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
149
+ - spec/lib/secure_headers/headers/expect_certificate_spec.rb
149
150
  - spec/lib/secure_headers/headers/policy_management_spec.rb
150
151
  - spec/lib/secure_headers/headers/public_key_pins_spec.rb
151
152
  - spec/lib/secure_headers/headers/referrer_policy_spec.rb