Module: Rack::Protection

Defined in:
lib/rack/protection.rb,
lib/rack/protection/base.rb,
lib/rack/protection/version.rb,
lib/rack/protection/encryptor.rb,
lib/rack/protection/json_csrf.rb,
lib/rack/protection/form_token.rb,
lib/rack/protection/xss_header.rb,
lib/rack/protection/http_origin.rb,
lib/rack/protection/ip_spoofing.rb,
lib/rack/protection/remote_token.rb,
lib/rack/protection/frame_options.rb,
lib/rack/protection/cookie_tossing.rb,
lib/rack/protection/escaped_params.rb,
lib/rack/protection/path_traversal.rb,
lib/rack/protection/referrer_policy.rb,
lib/rack/protection/remote_referrer.rb,
lib/rack/protection/encrypted_cookie.rb,
lib/rack/protection/strict_transport.rb,
lib/rack/protection/session_hijacking.rb,
lib/rack/protection/authenticity_token.rb,
lib/rack/protection/content_security_policy.rb

Defined Under Namespace

Modules: Encryptor Classes: AuthenticityToken, Base, ContentSecurityPolicy, CookieTossing, EncryptedCookie, EscapedParams, FormToken, FrameOptions, HttpOrigin, IPSpoofing, JsonCsrf, PathTraversal, ReferrerPolicy, RemoteReferrer, RemoteToken, SessionHijacking, StrictTransport, XSSHeader

Constant Summary collapse

VERSION =
'3.0.4'

Class Method Summary collapse

Class Method Details

.new(app, options = {}) ⇒ Object



28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# File 'lib/rack/protection.rb', line 28

def self.new(app, options = {})
  # does not include: RemoteReferrer, AuthenticityToken and FormToken
  except = Array options[:except]
  use_these = Array options[:use]

  if options.fetch(:without_session, false)
    except += %i[session_hijacking remote_token]
  end

  Rack::Builder.new do
    # Off by default, unless added
    use ::Rack::Protection::AuthenticityToken,     options if use_these.include? :authenticity_token
    use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
    use ::Rack::Protection::CookieTossing,         options if use_these.include? :cookie_tossing
    use ::Rack::Protection::EscapedParams,         options if use_these.include? :escaped_params
    use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
    use ::Rack::Protection::ReferrerPolicy,        options if use_these.include? :referrer_policy
    use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
    use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport

    # On by default, unless skipped
    use ::Rack::Protection::FrameOptions,          options unless except.include? :frame_options
    use ::Rack::Protection::HttpOrigin,            options unless except.include? :http_origin
    use ::Rack::Protection::IPSpoofing,            options unless except.include? :ip_spoofing
    use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
    use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
    use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
    use ::Rack::Protection::SessionHijacking,      options unless except.include? :session_hijacking
    use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
    run app
  end.to_app
end