rack-padlock

A toolkit for rack applications that ensures ALL content on a page adheres to your Content Security Policy. The browser padlock is pretty important for commercial web applications. Modern sites rely on so many third party services: analytics, video players, social media widgets. With all these moving parts it's easy to end up with a broken padlock. Rack-Padlock will increase the visibility of padlock problems to your development team, and it's dead easy to use.

Prerequisites

All you need to have is a rack based application! (Rails, Sinatra, Camping, etc...)

Setup

Add rack-padlock gem to your test group

group :test do
  gem 'rack-padlock'
end

Add rack-padlock rake tasks to your app

require 'rack/padlock'
load 'tasks/rack-padlock.rake'

Specify what url's you want to test somewhere in your Rakefile

Rack::Padlock.padlock_uris = ["/secure", "/insecure"]

If your application isn't a Rails app, then you need to add an environment rake task to your Rakefile like this

desc "setup application environment"
task :environment do
  require 'your rack application'
  Rack::Padlock.application = YourRackApplication
  Rack::Padlock.padlock_uris = ["/secure", "/insecure"]
end

Running Tests

Once you've set things up simply run

rake padlock

This will run the padlock tests. If any of your integration tests mix secure and insecure content, the padlock test will fail. alt text

Example rack application

Have a look at a simple sinatra application that demonstrates rack-padlock at https://github.com/joshuacronemeyer/rack-padlock-example-app

How it works

Rack-Padlock starts your Rack app up with an SSL enabled webrick server. It puts a custom middleware in front of your application that implements a CSP policy. That policy requires the browser to notify us of any non SSL activity. The custom middleware intercepts these notifications and logs them. At the end of the run the rack-padlock test will either succeed or fail based on the presence of any policy violations.

Not perfect

I have noticed that CSP doesn't check resources requested by Flash. But google chrome will break the padlock when flash requests non-secure resources.