Class: SecureHeaders::Configuration

Inherits:

Object

Object
SecureHeaders::Configuration

show all

Defined in:: lib/secure_headers/configuration.rb

Defined Under Namespace

Classes: AlreadyConfiguredError, IllegalPolicyModificationError, NotYetConfiguredError

Constant Summary collapse

DEFAULT_CONFIG =

:default

NOOP_OVERRIDE =

"secure_headers_noop_override"

CONFIG_ATTRIBUTES_TO_HEADER_CLASSES =

{
  hsts: StrictTransportSecurity,
  x_frame_options: XFrameOptions,
  x_content_type_options: XContentTypeOptions,
  x_xss_protection: XXssProtection,
  x_download_options: XDownloadOptions,
  x_permitted_cross_domain_policies: XPermittedCrossDomainPolicies,
  referrer_policy: ReferrerPolicy,
  clear_site_data: ClearSiteData,
  expect_certificate_transparency: ExpectCertificateTransparency,
  csp: ContentSecurityPolicy,
  csp_report_only: ContentSecurityPolicy,
  cookies: Cookie,
}.freeze

CONFIG_ATTRIBUTES =

CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys.freeze

VALIDATABLE_ATTRIBUTES = The list of attributes that must respond to a ‘validate_config!` method

CONFIG_ATTRIBUTES

HEADERABLE_ATTRIBUTES = The list of attributes that must respond to a ‘make_header` method

(CONFIG_ATTRIBUTES - [:cookies]).freeze

HASH_CONFIG_FILE =

ENV["secure_headers_generated_hashes_file"] || "config/secure_headers_generated_hashes.yml"

Class Method Summary collapse

.default(&block) ⇒ Object (also: configure)

Public: Set the global default configuration.
.dup ⇒ Object
.named_append(name, &block) ⇒ Object
.named_appends(name) ⇒ Object
.override(name, &block) ⇒ Object

Public: create a named configuration that overrides the default config.
.overrides(name) ⇒ Object

Instance Method Summary collapse

#csp=(new_csp) ⇒ Object
#csp_report_only=(new_csp) ⇒ Object

Configures the Content-Security-Policy-Report-Only header.
#dup ⇒ Object

Public: copy everything.
#generate_headers ⇒ Object
#initialize(&block) ⇒ Configuration constructor

A new instance of Configuration.
#opt_out(header) ⇒ Object
#override(name = nil, &block) ⇒ Object

Public: Apply a named override to the current config.
#secure_cookies=(secure_cookies) ⇒ Object
#update_x_frame_options(value) ⇒ Object
#validate_config! ⇒ Object

Public: validates all configurations values.

Constructor Details

#initialize(&block) ⇒ `Configuration`

Returns a new instance of Configuration.

# File 'lib/secure_headers/configuration.rb', line 158

def initialize(&block)
  @cookies = self.class.send(:deep_copy_if_hash, Cookie::COOKIE_DEFAULTS)
  @clear_site_data = nil
  @csp = nil
  @csp_report_only = nil
  @hsts = nil
  @x_content_type_options = nil
  @x_download_options = nil
  @x_frame_options = nil
  @x_permitted_cross_domain_policies = nil
  @x_xss_protection = nil
  @expect_certificate_transparency = nil

  self.referrer_policy = OPT_OUT
  self.csp = ContentSecurityPolicyConfig.new(ContentSecurityPolicyConfig::DEFAULT)
  self.csp_report_only = OPT_OUT

  instance_eval(&block) if block_given?
end

Class Method Details

.default(&block) ⇒ `Object` Also known as: configure

Public: Set the global default configuration.

Optionally supply a block to override the defaults set by this library.

Returns the newly created config.

# File 'lib/secure_headers/configuration.rb', line 17

def default(&block)
  if defined?(@default_config)
    raise AlreadyConfiguredError, "Policy already configured"
  end

  # Define a built-in override that clears all configuration options and
  # results in no security headers being set.
  override(NOOP_OVERRIDE) do |config|
    CONFIG_ATTRIBUTES.each do |attr|
      config.instance_variable_set("@#{attr}", OPT_OUT)
    end
  end

  new_config = new(&block).freeze
  new_config.validate_config!
  @default_config = new_config
end

.dup ⇒ `Object`



71
72
73

# File 'lib/secure_headers/configuration.rb', line 71

def dup
  default_config.dup
end

.named_append(name, &block) ⇒ `Object`

# File 'lib/secure_headers/configuration.rb', line 62

def named_append(name, &block)
  @appends ||= {}
  raise "Provide a configuration block" unless block_given?
  if named_append_or_override_exists?(name)
    raise AlreadyConfiguredError, "Configuration already exists"
  end
  @appends[name] = block
end

.named_appends(name) ⇒ `Object`

# File 'lib/secure_headers/configuration.rb', line 57

def named_appends(name)
  @appends ||= {}
  @appends[name]
end

.override(name, &block) ⇒ `Object`

Public: create a named configuration that overrides the default config.

name - use an idenfier for the override config. base - override another existing config, or override the default config if no value is supplied.

Returns: the newly created config

# File 'lib/secure_headers/configuration.rb', line 43

def override(name, &block)
  @overrides ||= {}
  raise "Provide a configuration block" unless block_given?
  if named_append_or_override_exists?(name)
    raise AlreadyConfiguredError, "Configuration already exists"
  end
  @overrides[name] = block
end

.overrides(name) ⇒ `Object`

# File 'lib/secure_headers/configuration.rb', line 52

def overrides(name)
  @overrides ||= {}
  @overrides[name]
end

Instance Method Details

#csp=(new_csp) ⇒ `Object`

# File 'lib/secure_headers/configuration.rb', line 246

def csp=(new_csp)
  case new_csp
  when OPT_OUT
    @csp = new_csp
  when ContentSecurityPolicyConfig
    @csp = new_csp
  when Hash
    @csp = ContentSecurityPolicyConfig.new(new_csp)
  else
    raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
  end
end

#csp_report_only=(new_csp) ⇒ `Object`

Configures the Content-Security-Policy-Report-Only header. ‘new_csp` cannot contain `report_only: false` or an error will be raised.

NOTE: if csp has not been configured/has the default value when configuring csp_report_only, the code will assume you mean to only use report-only mode and you will be opted-out of enforce mode.

# File 'lib/secure_headers/configuration.rb', line 265

def csp_report_only=(new_csp)
  case new_csp
  when OPT_OUT
    @csp_report_only = new_csp
  when ContentSecurityPolicyReportOnlyConfig
    @csp_report_only = new_csp.dup
  when ContentSecurityPolicyConfig
    @csp_report_only = new_csp.make_report_only
  when Hash
    @csp_report_only = ContentSecurityPolicyReportOnlyConfig.new(new_csp)
  else
    raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
  end
end

#dup ⇒ `Object`

Public: copy everything

Returns a deep-dup’d copy of this configuration.

# File 'lib/secure_headers/configuration.rb', line 181

def dup
  copy = self.class.new
  copy.cookies = self.class.send(:deep_copy_if_hash, @cookies)
  copy.csp = @csp.dup if @csp
  copy.csp_report_only = @csp_report_only.dup if @csp_report_only
  copy.x_content_type_options = @x_content_type_options
  copy.hsts = @hsts
  copy.x_frame_options = @x_frame_options
  copy.x_xss_protection = @x_xss_protection
  copy.x_download_options = @x_download_options
  copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
  copy.clear_site_data = @clear_site_data
  copy.expect_certificate_transparency = @expect_certificate_transparency
  copy.referrer_policy = @referrer_policy
  copy
end

#generate_headers ⇒ `Object`

# File 'lib/secure_headers/configuration.rb', line 210

def generate_headers
  headers = {}
  HEADERABLE_ATTRIBUTES.each do |attr|
    klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
    header_name, value = klass.make_header(instance_variable_get("@#{attr}"))
    if header_name && value
      headers[header_name] = value
    end
  end
  headers
end

#opt_out(header) ⇒ `Object`



222
223
224

# File 'lib/secure_headers/configuration.rb', line 222

def opt_out(header)
  send("#{header}=", OPT_OUT)
end

#override(name = nil, &block) ⇒ `Object`

Public: Apply a named override to the current config

Returns self

# File 'lib/secure_headers/configuration.rb', line 201

def override(name = nil, &block)
  if override = self.class.overrides(name)
    instance_eval(&override)
  else
    raise ArgumentError.new("no override by the name of #{name} has been configured")
  end
  self
end

#secure_cookies=(secure_cookies) ⇒ `Object`

Raises:

(ArgumentError)



242
243
244

# File 'lib/secure_headers/configuration.rb', line 242

def secure_cookies=(secure_cookies)
  raise ArgumentError, "#{Kernel.caller.first}: `#secure_cookies=` is no longer supported. Please use `#cookies=` to configure secure cookies instead."
end

#update_x_frame_options(value) ⇒ `Object`



226
227
228

# File 'lib/secure_headers/configuration.rb', line 226

def update_x_frame_options(value)
  @x_frame_options = value
end

#validate_config! ⇒ `Object`

Public: validates all configurations values.

Raises various configuration errors if any invalid config is detected.

Returns nothing

# File 'lib/secure_headers/configuration.rb', line 235

def validate_config!
  VALIDATABLE_ATTRIBUTES.each do |attr|
    klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
    klass.validate_config!(instance_variable_get("@#{attr}"))
  end
end

Class: SecureHeaders::Configuration

Defined Under Namespace

Constant Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(&block) ⇒ Configuration

Class Method Details

.default(&block) ⇒ Object Also known as: configure

.dup ⇒ Object

.named_append(name, &block) ⇒ Object

.named_appends(name) ⇒ Object

.override(name, &block) ⇒ Object

.overrides(name) ⇒ Object

Instance Method Details

#csp=(new_csp) ⇒ Object

#csp_report_only=(new_csp) ⇒ Object

#dup ⇒ Object

#generate_headers ⇒ Object

#opt_out(header) ⇒ Object

#override(name = nil, &block) ⇒ Object

#secure_cookies=(secure_cookies) ⇒ Object

#update_x_frame_options(value) ⇒ Object

#validate_config! ⇒ Object