secure_headers 6.0.0 → 6.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6d7392744d486b32bda2b91432d39ddfeee87dfd
-  data.tar.gz: 38328982bf71376b9412ed8c7d0652163741bf16
+SHA256:
+  metadata.gz: 26a6b47b87ec772f94c264ef318bf4c20997b3a541898f80110a1bd26a471753
+  data.tar.gz: 73e40f805bafe030a82cbe37cdf499acea6c2613cce3c25964db89a9fde2f172
 SHA512:
-  metadata.gz: e08d9df89db6908d0c8419d0086bf8fb6c7e374c53e0bf774bd74d534094c66ef3cdcbac23e97c03b05d4045ba6878c3f6d8a17877146bdb6f2f0c15b57d1784
-  data.tar.gz: 304824374c236d11edc52049732a2ea133bbbdf611f35b2c5309a950125e879fb4016f0f15d7ad6c09310ab4b6080e966fac912147f43ed91989aa15898595a7
+  metadata.gz: ed3eb3ba011292b668fd786a22a2c9d93a20067e4391881eafc555f978a7ae3c5da33741f82c908b7cfe4c66cb837f9fc1b2f7360be788d320dab0694fdaeb66
+  data.tar.gz: df5800647d9dc5462d51529461d85374831bdc1fe0755949d4ec9764f69810c7e5456be1095f25d4b34bb2ec2c3c0773243d2ce4ebaf4c11bace6ea035201947

data/.ruby-version

@@ -1 +1 @@
-2.4.2
+2.6.1

data/.travis.yml

@@ -2,10 +2,9 @@ language: ruby
 
 rvm:
   - ruby-head
+  - 2.6.1
   - 2.5.0
   - 2.4.3
-  - 2.3.6
-  - 2.2.9
   - jruby-head
 
 env:

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 6.1
+
+Adds support for navigate-to, prefetch-src, and require-sri-for #395
+
 ## 6.0
 
 - See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.

data/README.md

@@ -2,10 +2,6 @@
 
 **master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
 
-**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
-
-**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
-
 The gem will automatically apply several headers that are related to security.  This includes:
 - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
   - https://csp.withgoogle.com
@@ -33,20 +29,6 @@ It can also mark all http cookies with the Secure, HttpOnly and SameSite attribu
 - [Hashes](docs/hashes.md)
 - [Sinatra Config](docs/sinatra.md)
 
-## Getting Started
-
-### Rails 3+
-
-For Rails 3+ applications, `secure_headers` has a `railtie` that should automatically include the middleware. If for some reason the middleware is not being included follow the instructions for Rails 2.
-
-### Rails 2
-
-For Rails 2 or non-rails applications, an explicit statement is required to use the middleware component.
-
-```ruby
-use SecureHeaders::Middleware
-```
-
 ## Configuration
 
 If you do not supply a `default` configuration, exceptions will be raised. If you would like to use a default configuration (which is fairly locked down), just call `SecureHeaders::Configuration.default` without any arguments or block.
@@ -119,6 +101,23 @@ X-Permitted-Cross-Domain-Policies: none
 X-Xss-Protection: 1; mode=block
 ```
 
+## API configurations
+
+Which headers you decide to use for API responses is entirely a personal choice. Things like X-Frame-Options seem to have no place in an API response and would be wasting bytes. While this is true, browsers can do funky things with non-html responses. At the minimum, we suggest CSP:
+
+```ruby
+SecureHeaders::Configuration.override(:api) do |config|
+  config.csp = { default_src: 'none' }
+  config.hsts = SecureHeaders::OPT_OUT
+  config.x_frame_options = SecureHeaders::OPT_OUT
+  config.x_content_type_options = SecureHeaders::OPT_OUT
+  config.x_xss_protection = SecureHeaders::OPT_OUT
+  config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT
+end
+```
+
+However, I would consider these headers anyways depending on your load and bandwidth requirements. 
+
 ## Similar libraries
 
 * Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers)

data/lib/secure_headers.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 require "secure_headers/hash_helper"
 require "secure_headers/headers/cookie"
-require "secure_headers/headers/public_key_pins"
 require "secure_headers/headers/content_security_policy"
 require "secure_headers/headers/x_frame_options"
 require "secure_headers/headers/strict_transport_security"
@@ -18,8 +17,7 @@ require "secure_headers/view_helper"
 require "singleton"
 require "secure_headers/configuration"
 
-# All headers (except for hpkp) have a default value. Provide SecureHeaders::OPT_OUT
-# or ":optout_of_protection" as a config value to disable a given header
+# Provide SecureHeaders::OPT_OUT as a config value to disable a given header
 module SecureHeaders
   class NoOpHeaderConfig
     include Singleton
@@ -51,10 +49,6 @@ module SecureHeaders
   HTTPS = "https".freeze
   CSP = ContentSecurityPolicy
 
-  # Headers set on http requests (excludes STS and HPKP)
-  HTTPS_HEADER_CLASSES =
-    [StrictTransportSecurity, PublicKeyPins].freeze
-
   class << self
     # Public: override a given set of directives for the current request. If a
     # value already exists for a given directive, it will be overridden.
@@ -138,7 +132,7 @@ module SecureHeaders
     # Public: Builds the hash of headers that should be applied base on the
     # request.
     #
-    # StrictTransportSecurity and PublicKeyPins are not applied to http requests.
+    # StrictTransportSecurity is not applied to http requests.
     # See #config_for to determine which config is used for a given request.
     #
     # Returns a hash of header names => header values. The value
@@ -151,9 +145,7 @@ module SecureHeaders
       headers = config.generate_headers
 
       if request.scheme != HTTPS
-        HTTPS_HEADER_CLASSES.each do |klass|
-          headers.delete(klass::HEADER_NAME)
-        end
+        headers.delete(StrictTransportSecurity::HEADER_NAME)
       end
       headers
     end

data/lib/secure_headers/configuration.rb

@@ -115,7 +115,6 @@ module SecureHeaders
       expect_certificate_transparency: ExpectCertificateTransparency,
       csp: ContentSecurityPolicy,
       csp_report_only: ContentSecurityPolicy,
-      hpkp: PublicKeyPins,
       cookies: Cookie,
     }.freeze
 
@@ -144,7 +143,6 @@ module SecureHeaders
       @clear_site_data = nil
       @csp = nil
       @csp_report_only = nil
-      @hpkp = nil
       @hsts = nil
       @x_content_type_options = nil
       @x_download_options = nil
@@ -153,7 +151,6 @@ module SecureHeaders
       @x_xss_protection = nil
       @expect_certificate_transparency = nil
 
-      self.hpkp = OPT_OUT
       self.referrer_policy = OPT_OUT
       self.csp = ContentSecurityPolicyConfig.new(ContentSecurityPolicyConfig::DEFAULT)
       self.csp_report_only = OPT_OUT
@@ -178,7 +175,6 @@ module SecureHeaders
       copy.clear_site_data = @clear_site_data
       copy.expect_certificate_transparency = @expect_certificate_transparency
       copy.referrer_policy = @referrer_policy
-      copy.hpkp = @hpkp
       copy
     end
 
@@ -263,10 +259,5 @@ module SecureHeaders
         raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
       end
     end
-
-    def hpkp_report_host
-      return nil unless @hpkp && hpkp != OPT_OUT && @hpkp[:report_uri]
-      URI.parse(@hpkp[:report_uri]).host
-    end
   end
 end

data/lib/secure_headers/headers/content_security_policy.rb

@@ -51,14 +51,14 @@ module SecureHeaders
     def build_value
       directives.map do |directive_name|
         case DIRECTIVE_VALUE_TYPES[directive_name]
+        when :source_list, :require_sri_for_list # require_sri is a simple set of strings that don't need to deal with symbol casing
+          build_source_list_directive(directive_name)
         when :boolean
           symbol_to_hyphen_case(directive_name) if @config.directive_value(directive_name)
         when :sandbox_list
           build_sandbox_list_directive(directive_name)
         when :media_type_list
           build_media_type_list_directive(directive_name)
-        when :source_list
-          build_source_list_directive(directive_name)
         end
       end.compact.join("; ")
     end

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -27,11 +27,14 @@ module SecureHeaders
       @img_src = nil
       @manifest_src = nil
       @media_src = nil
+      @navigate_to = nil
       @object_src = nil
       @plugin_types = nil
+      @prefetch_src = nil
       @preserve_schemes = nil
       @report_only = nil
       @report_uri = nil
+      @require_sri_for = nil
       @sandbox = nil
       @script_nonce = nil
       @script_src = nil

data/lib/secure_headers/headers/policy_management.rb

@@ -1,4 +1,7 @@
 # frozen_string_literal: true
+
+require "set"
+
 module SecureHeaders
   module PolicyManagement
     def self.included(base)
@@ -70,6 +73,9 @@ module SecureHeaders
     # https://w3c.github.io/webappsec/specs/CSP2/
     BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
     MANIFEST_SRC = :manifest_src
+    NAVIGATE_TO = :navigate_to
+    PREFETCH_SRC = :prefetch_src
+    REQUIRE_SRI_FOR = :require_sri_for
     UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
     WORKER_SRC = :worker_src
 
@@ -77,6 +83,9 @@ module SecureHeaders
       DIRECTIVES_2_0,
       BLOCK_ALL_MIXED_CONTENT,
       MANIFEST_SRC,
+      NAVIGATE_TO,
+      PREFETCH_SRC,
+      REQUIRE_SRI_FOR,
       WORKER_SRC,
       UPGRADE_INSECURE_REQUESTS
     ].flatten.freeze
@@ -100,14 +109,17 @@ module SecureHeaders
       IMG_SRC                   => :source_list,
       MANIFEST_SRC              => :source_list,
       MEDIA_SRC                 => :source_list,
+      NAVIGATE_TO               => :source_list,
       OBJECT_SRC                => :source_list,
       PLUGIN_TYPES              => :media_type_list,
+      REQUIRE_SRI_FOR           => :require_sri_for_list,
       REPORT_URI                => :source_list,
+      PREFETCH_SRC              => :source_list,
       SANDBOX                   => :sandbox_list,
       SCRIPT_SRC                => :source_list,
       STYLE_SRC                 => :source_list,
       WORKER_SRC                => :source_list,
-      UPGRADE_INSECURE_REQUESTS => :boolean
+      UPGRADE_INSECURE_REQUESTS => :boolean,
     }.freeze
 
     # These are directives that don't have use a source list, and hence do not
@@ -122,7 +134,8 @@ module SecureHeaders
       BASE_URI,
       FORM_ACTION,
       FRAME_ANCESTORS,
-      REPORT_URI
+      NAVIGATE_TO,
+      REPORT_URI,
     ]
 
     FETCH_SOURCES = ALL_DIRECTIVES - NON_FETCH_SOURCES - NON_SOURCE_LIST_SOURCES
@@ -148,6 +161,8 @@ module SecureHeaders
       :style_nonce
     ].freeze
 
+    REQUIRE_SRI_FOR_VALUES = Set.new(%w(script style))
+
     module ClassMethods
       # Public: generate a header name, value array that is user-agent-aware.
       #
@@ -241,7 +256,8 @@ module SecureHeaders
       def list_directive?(directive)
         source_list?(directive) ||
           sandbox_list?(directive) ||
-          media_type_list?(directive)
+          media_type_list?(directive) ||
+          require_sri_for_list?(directive)
       end
 
       # For each directive in additions that does not exist in the original config,
@@ -274,11 +290,17 @@ module SecureHeaders
         DIRECTIVE_VALUE_TYPES[directive] == :media_type_list
       end
 
+      def require_sri_for_list?(directive)
+        DIRECTIVE_VALUE_TYPES[directive] == :require_sri_for_list
+      end
+
       # Private: Validates that the configuration has a valid type, or that it is a valid
       # source expression.
       def validate_directive!(directive, value)
         ensure_valid_directive!(directive)
         case ContentSecurityPolicy::DIRECTIVE_VALUE_TYPES[directive]
+        when :source_list
+          validate_source_expression!(directive, value)
         when :boolean
           unless boolean?(value)
             raise ContentSecurityPolicyConfigError.new("#{directive} must be a boolean. Found #{value.class} value")
@@ -287,8 +309,8 @@ module SecureHeaders
           validate_sandbox_expression!(directive, value)
         when :media_type_list
           validate_media_type_expression!(directive, value)
-        when :source_list
-          validate_source_expression!(directive, value)
+        when :require_sri_for_list
+          validate_require_sri_source_expression!(directive, value)
         else
           raise ContentSecurityPolicyConfigError.new("Unknown directive #{directive}")
         end
@@ -323,6 +345,16 @@ module SecureHeaders
         end
       end
 
+      # Private: validates that a require sri for expression:
+      # 1. is an array of strings
+      # 2. is a subset of ["string", "style"]
+      def validate_require_sri_source_expression!(directive, require_sri_for_expression)
+        ensure_array_of_strings!(directive, require_sri_for_expression)
+        unless require_sri_for_expression.to_set.subset?(REQUIRE_SRI_FOR_VALUES)
+          raise ContentSecurityPolicyConfigError.new(%(require-sri for must be a subset of #{REQUIRE_SRI_FOR_VALUES.to_a} but was #{require_sri_for_expression}))
+        end
+      end
+
       # Private: validates that a source expression:
       # 1. is an array of strings
       # 2. does not contain any deprecated, now invalid values (inline, eval, self, none)

data/lib/secure_headers/middleware.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 module SecureHeaders
   class Middleware
-    HPKP_SAME_HOST_WARNING = "[WARNING] HPKP report host should not be the same as the request host. See https://github.com/twitter/secureheaders/issues/166"
-
     def initialize(app)
       @app = app
     end
@@ -13,10 +11,6 @@ module SecureHeaders
       status, headers, response = @app.call(env)
 
       config = SecureHeaders.config_for(req)
-      if config.hpkp_report_host == req.host
-        Kernel.warn(HPKP_SAME_HOST_WARNING)
-      end
-
       flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
       headers.merge!(SecureHeaders.header_hash_for(req))
       [status, headers, response]

data/lib/secure_headers/utils/cookies_config.rb

@@ -65,7 +65,7 @@ module SecureHeaders
 
     def validate_hash_or_true_or_opt_out!(attribute)
       if !(is_hash?(config[attribute]) || is_true_or_opt_out?(config[attribute]))
-        raise CookiesConfigError.new("#{attribute} cookie config must be a hash or boolean")
+        raise CookiesConfigError.new("#{attribute} cookie config must be a hash, true, or SecureHeaders::OPT_OUT")
       end
     end
 

data/lib/secure_headers/version.rb

@@ -0,0 +1,3 @@
+module SecureHeaders
+  VERSION = "6.1.0"
+end

data/secure_headers.gemspec

@@ -1,8 +1,12 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "secure_headers/version"
+
 # -*- encoding: utf-8 -*-
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "6.0.0"
+  gem.version       = SecureHeaders::VERSION
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -116,6 +116,31 @@ module SecureHeaders
         ContentSecurityPolicy.new(default_src: %w('self'), frame_src: %w('self')).value
       end
 
+      it "allows script as a require-sri-src" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), require_sri_for: %w(script))
+        expect(csp.value).to eq("default-src 'self'; require-sri-for script")
+      end
+
+      it "allows style as a require-sri-src" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), require_sri_for: %w(style))
+        expect(csp.value).to eq("default-src 'self'; require-sri-for style")
+      end
+
+      it "allows script and style as a require-sri-src" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), require_sri_for: %w(script style))
+        expect(csp.value).to eq("default-src 'self'; require-sri-for script style")
+      end
+
+      it "includes prefetch-src" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), prefetch_src: %w(foo.com))
+        expect(csp.value).to eq("default-src 'self'; prefetch-src foo.com")
+      end
+
+      it "includes navigate-to" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), navigate_to: %w(foo.com))
+        expect(csp.value).to eq("default-src 'self'; navigate-to foo.com")
+      end
+
       it "supports strict-dynamic" do
         csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456})
         expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456' 'unsafe-inline'")

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -28,24 +28,29 @@ module SecureHeaders
 
           # directive values: these values will directly translate into source directives
           default_src: %w(https: 'self'),
-          frame_src: %w('self' *.twimg.com itunes.apple.com),
-          child_src: %w('self' *.twimg.com itunes.apple.com),
+
+          base_uri: %w('self'),
+          block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
           connect_src: %w(wss:),
+          child_src: %w('self' *.twimg.com itunes.apple.com),
           font_src: %w('self' data:),
+          form_action: %w('self' github.com),
+          frame_ancestors: %w('none'),
+          frame_src: %w('self' *.twimg.com itunes.apple.com),
           img_src: %w(mycdn.com data:),
           manifest_src: %w(manifest.com),
           media_src: %w(utoob.com),
+          navigate_to: %w(netscape.com),
           object_src: %w('self'),
+          plugin_types: %w(application/x-shockwave-flash),
+          prefetch_src: %w(fetch.com),
+          require_sri_for: %w(script style),
           script_src: %w('self'),
           style_src: %w('unsafe-inline'),
-          worker_src: %w(worker.com),
-          base_uri: %w('self'),
-          form_action: %w('self' github.com),
-          frame_ancestors: %w('none'),
-          plugin_types: %w(application/x-shockwave-flash),
-          block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
           upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
-          report_uri: %w(https://example.com/uri-directive)
+          worker_src: %w(worker.com),
+
+          report_uri: %w(https://example.com/uri-directive),
         }
 
         ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(config))

data/spec/lib/secure_headers/middleware_spec.rb

@@ -14,25 +14,6 @@ module SecureHeaders
       Configuration.default
     end
 
-    it "warns if the hpkp report-uri host is the same as the current host" do
-      report_host = "report-uri.io"
-      reset_config
-      Configuration.default do |config|
-        config.hpkp = {
-          max_age: 10000000,
-          pins: [
-            {sha256: "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c"},
-            {sha256: "73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f"}
-          ],
-          report_uri: "https://#{report_host}/example-hpkp"
-        }
-      end
-
-      expect(Kernel).to receive(:warn).with(Middleware::HPKP_SAME_HOST_WARNING)
-
-      middleware.call(Rack::MockRequest.env_for("https://#{report_host}", {}))
-    end
-
     it "sets the headers" do
       _, env = middleware.call(Rack::MockRequest.env_for("https://looocalhost", {}))
       expect_default_values(env)

data/spec/lib/secure_headers_spec.rb

@@ -90,16 +90,6 @@ module SecureHeaders
         Configuration.default do |config|
           config.csp = { default_src: ["example.com"], script_src: %w('self') }
           config.csp_report_only = config.csp
-          config.hpkp = {
-            report_only: false,
-            max_age: 10000000,
-            include_subdomains: true,
-            report_uri: "https://report-uri.io/example-hpkp",
-            pins: [
-              {sha256: "abc"},
-              {sha256: "123"}
-            ]
-          }
         end
         SecureHeaders.opt_out_of_all_protection(request)
         hash = SecureHeaders.header_hash_for(request)
@@ -141,23 +131,6 @@ module SecureHeaders
         expect(SecureHeaders.header_hash_for(plaintext_request)[StrictTransportSecurity::HEADER_NAME]).to be_nil
       end
 
-      it "does not set the HPKP header if request is over HTTP" do
-        plaintext_request = Rack::Request.new({})
-        Configuration.default do |config|
-          config.hpkp = {
-            max_age: 1_000_000,
-            include_subdomains: true,
-            report_uri: "//example.com/uri-directive",
-            pins: [
-              { sha256: "abc" },
-              { sha256: "123" }
-            ]
-          }
-        end
-
-        expect(SecureHeaders.header_hash_for(plaintext_request)[PublicKeyPins::HEADER_NAME]).to be_nil
-      end
-
       context "content security policy" do
         let(:chrome_request) {
           Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:chrome]))
@@ -531,14 +504,6 @@ module SecureHeaders
         end.to raise_error(ReferrerPolicyConfigError)
       end
 
-      it "validates your hpkp config upon configuration" do
-        expect do
-          Configuration.default do |config|
-            config.hpkp = "lol"
-          end
-        end.to raise_error(PublicKeyPinsConfigError)
-      end
-
       it "validates your cookies config upon configuration" do
         expect do
           Configuration.default do |config|

data/spec/spec_helper.rb

@@ -37,7 +37,6 @@ def expect_default_values(hash)
   expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
   expect(hash[SecureHeaders::ClearSiteData::HEADER_NAME]).to be_nil
   expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
-  expect(hash[SecureHeaders::PublicKeyPins::HEADER_NAME]).to be_nil
 end
 
 module SecureHeaders

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.0.0
+  version: 6.1.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-08 00:00:00.000000000 Z
+date: 2019-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -65,7 +65,6 @@ files:
 - lib/secure_headers/headers/cookie.rb
 - lib/secure_headers/headers/expect_certificate_transparency.rb
 - lib/secure_headers/headers/policy_management.rb
-- lib/secure_headers/headers/public_key_pins.rb
 - lib/secure_headers/headers/referrer_policy.rb
 - lib/secure_headers/headers/strict_transport_security.rb
 - lib/secure_headers/headers/x_content_type_options.rb
@@ -76,6 +75,7 @@ files:
 - lib/secure_headers/middleware.rb
 - lib/secure_headers/railtie.rb
 - lib/secure_headers/utils/cookies_config.rb
+- lib/secure_headers/version.rb
 - lib/secure_headers/view_helper.rb
 - lib/tasks/tasks.rake
 - secure_headers.gemspec
@@ -85,7 +85,6 @@ files:
 - spec/lib/secure_headers/headers/cookie_spec.rb
 - spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
-- spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/referrer_policy_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
 - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
@@ -116,8 +115,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Add easily configured security headers to responses including content-security-policy,
@@ -129,7 +127,6 @@ test_files:
 - spec/lib/secure_headers/headers/cookie_spec.rb
 - spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
-- spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/referrer_policy_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
 - spec/lib/secure_headers/headers/x_content_type_options_spec.rb

data/lib/secure_headers/headers/public_key_pins.rb

@@ -1,81 +0,0 @@
-# frozen_string_literal: true
-module SecureHeaders
-  class PublicKeyPinsConfigError < StandardError; end
-  class PublicKeyPins
-    HEADER_NAME = "Public-Key-Pins".freeze
-    REPORT_ONLY = "Public-Key-Pins-Report-Only".freeze
-    HASH_ALGORITHMS = [:sha256].freeze
-
-
-    class << self
-      # Public: make an hpkp header name, value pair
-      #
-      # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config, user_agent = nil)
-        return if config.nil? || config == OPT_OUT
-        header = new(config)
-        [header.name, header.value]
-      end
-
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise PublicKeyPinsConfigError.new("config must be a hash.") unless config.is_a? Hash
-
-        if !config[:max_age]
-          raise PublicKeyPinsConfigError.new("max-age is a required directive.")
-        elsif config[:max_age].to_s !~ /\A\d+\z/
-          raise PublicKeyPinsConfigError.new("max-age must be a number.
-                                            #{config[:max_age]} was supplied.")
-        elsif config[:pins] && config[:pins].length < 2
-          raise PublicKeyPinsConfigError.new("A minimum of 2 pins are required.")
-        end
-      end
-    end
-
-    def initialize(config)
-      @max_age = config.fetch(:max_age, nil)
-      @pins = config.fetch(:pins, nil)
-      @report_uri = config.fetch(:report_uri, nil)
-      @report_only = !!config.fetch(:report_only, nil)
-      @include_subdomains = !!config.fetch(:include_subdomains, nil)
-    end
-
-    def name
-      if @report_only
-        REPORT_ONLY
-      else
-        HEADER_NAME
-      end
-    end
-
-    def value
-      [
-        max_age_directive,
-        pin_directives,
-        report_uri_directive,
-        subdomain_directive
-      ].compact.join("; ").strip
-    end
-
-    def pin_directives
-      return nil if @pins.nil?
-      @pins.collect do |pin|
-        pin.map do |token, hash|
-          "pin-#{token}=\"#{hash}\"" if HASH_ALGORITHMS.include?(token)
-        end
-      end.join("; ")
-    end
-
-    def max_age_directive
-      "max-age=#{@max_age}" if @max_age
-    end
-
-    def report_uri_directive
-      "report-uri=\"#{@report_uri}\"" if @report_uri
-    end
-
-    def subdomain_directive
-      @include_subdomains ? "includeSubDomains" : nil
-    end
-  end
-end

data/spec/lib/secure_headers/headers/public_key_pins_spec.rb

@@ -1,38 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-
-module SecureHeaders
-  describe PublicKeyPins do
-    specify { expect(PublicKeyPins.new(max_age: 1234, report_only: true).name).to eq("Public-Key-Pins-Report-Only") }
-    specify { expect(PublicKeyPins.new(max_age: 1234).name).to eq("Public-Key-Pins") }
-
-    specify { expect(PublicKeyPins.new(max_age: 1234).value).to eq("max-age=1234") }
-    specify { expect(PublicKeyPins.new(max_age: 1234).value).to eq("max-age=1234") }
-    specify do
-      config = { max_age: 1234, pins: [{ sha256: "base64encodedpin1" }, { sha256: "base64encodedpin2" }] }
-      header_value = "max-age=1234; pin-sha256=\"base64encodedpin1\"; pin-sha256=\"base64encodedpin2\""
-      expect(PublicKeyPins.new(config).value).to eq(header_value)
-    end
-
-    context "with an invalid configuration" do
-      it "raises an exception when max-age is not provided" do
-        expect do
-          PublicKeyPins.validate_config!(foo: "bar")
-        end.to raise_error(PublicKeyPinsConfigError)
-      end
-
-      it "raises an exception with an invalid max-age" do
-        expect do
-          PublicKeyPins.validate_config!(max_age: "abc123")
-        end.to raise_error(PublicKeyPinsConfigError)
-      end
-
-      it "raises an exception with less than 2 pins" do
-        expect do
-          config = { max_age: 1234, pins: [{ sha256: "base64encodedpin" }] }
-          PublicKeyPins.validate_config!(config)
-        end.to raise_error(PublicKeyPinsConfigError)
-      end
-    end
-  end
-end