Module: Rack::Protection
- Defined in:
- lib/rack/protection.rb,
lib/rack/protection/base.rb,
lib/rack/protection/version.rb,
lib/rack/protection/encryptor.rb,
lib/rack/protection/json_csrf.rb,
lib/rack/protection/form_token.rb,
lib/rack/protection/xss_header.rb,
lib/rack/protection/http_origin.rb,
lib/rack/protection/ip_spoofing.rb,
lib/rack/protection/remote_token.rb,
lib/rack/protection/frame_options.rb,
lib/rack/protection/cookie_tossing.rb,
lib/rack/protection/escaped_params.rb,
lib/rack/protection/path_traversal.rb,
lib/rack/protection/referrer_policy.rb,
lib/rack/protection/remote_referrer.rb,
lib/rack/protection/encrypted_cookie.rb,
lib/rack/protection/strict_transport.rb,
lib/rack/protection/session_hijacking.rb,
lib/rack/protection/authenticity_token.rb,
lib/rack/protection/content_security_policy.rb
Defined Under Namespace
Modules: Encryptor Classes: AuthenticityToken, Base, ContentSecurityPolicy, CookieTossing, EncryptedCookie, EscapedParams, FormToken, FrameOptions, HttpOrigin, IPSpoofing, JsonCsrf, PathTraversal, ReferrerPolicy, RemoteReferrer, RemoteToken, SessionHijacking, StrictTransport, XSSHeader
Constant Summary collapse
- VERSION =
'3.0.1'
Class Method Summary collapse
Class Method Details
.new(app, options = {}) ⇒ Object
28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# File 'lib/rack/protection.rb', line 28 def self.new(app, = {}) # does not include: RemoteReferrer, AuthenticityToken and FormToken except = Array [:except] use_these = Array [:use] if .fetch(:without_session, false) except += %i[session_hijacking remote_token] end Rack::Builder.new do # Off by default, unless added use ::Rack::Protection::AuthenticityToken, if use_these.include? :authenticity_token use ::Rack::Protection::ContentSecurityPolicy, if use_these.include? :content_security_policy use ::Rack::Protection::CookieTossing, if use_these.include? :cookie_tossing use ::Rack::Protection::EscapedParams, if use_these.include? :escaped_params use ::Rack::Protection::FormToken, if use_these.include? :form_token use ::Rack::Protection::ReferrerPolicy, if use_these.include? :referrer_policy use ::Rack::Protection::RemoteReferrer, if use_these.include? :remote_referrer use ::Rack::Protection::StrictTransport, if use_these.include? :strict_transport # On by default, unless skipped use ::Rack::Protection::FrameOptions, unless except.include? :frame_options use ::Rack::Protection::HttpOrigin, unless except.include? :http_origin use ::Rack::Protection::IPSpoofing, unless except.include? :ip_spoofing use ::Rack::Protection::JsonCsrf, unless except.include? :json_csrf use ::Rack::Protection::PathTraversal, unless except.include? :path_traversal use ::Rack::Protection::RemoteToken, unless except.include? :remote_token use ::Rack::Protection::SessionHijacking, unless except.include? :session_hijacking use ::Rack::Protection::XSSHeader, unless except.include? :xss_header run app end.to_app end |