Class: Pah::Templates::SecureHeader

Inherits:
Pah::Template
  • Object
show all
Defined in:
lib/pah/templates/secure_headers.rb

Instance Method Summary collapse

Methods inherited from Pah::Template

#ask_unless_test, #copy_static_file, #git_commit, #static_files, #will_you_like_to?

Instance Method Details

#callObject 



4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
# File 'lib/pah/templates/secure_headers.rb', line 4

def call
  create_file 'config/initializers/secure_headers.rb' do
    <<-EOF
::SecureHeaders::Configuration.configure do |config|
  config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
  config.x_frame_options = 'DENY'
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = "1; mode=block"
  config.csp = {
    report_only: Rails.env.production?, # for the Content-Security-Policy-Report-Only header
    preserve_schemes: false, # default: false.

    default_src: %w(*), # all allowed in the beginning
    script_src: %w('self' 'unsafe-inline'), # scripts only allowed in external files from the same origin
    connect_src: %w('self'), # Ajax may connect only to the same origin
    style_src: %w('self' 'unsafe-inline'), # styles only allowed in external files from the same origin and in style attributes (for now)
    # report_uri: ["/csp_report?report_only=#{Rails.env.production?}"] # violation reports will be sent here
  }
end
EOF
  end
  git add: 'config/initializers/secure_headers.rb'
  git_commit 'Add secure headers.'
end