Module: SecureHeaders
- Included in:
- ActionController::Base
- Defined in:
- lib/secure_headers.rb,
lib/secure_headers/railtie.rb,
lib/secure_headers/version.rb,
lib/secure_headers/middleware.rb,
lib/secure_headers/hash_helper.rb,
lib/secure_headers/view_helper.rb,
lib/secure_headers/configuration.rb,
lib/secure_headers/headers/cookie.rb,
lib/secure_headers/utils/cookies_config.rb,
lib/secure_headers/headers/clear_site_data.rb,
lib/secure_headers/headers/referrer_policy.rb,
lib/secure_headers/headers/x_frame_options.rb,
lib/secure_headers/headers/x_xss_protection.rb,
lib/secure_headers/headers/policy_management.rb,
lib/secure_headers/headers/x_download_options.rb,
lib/secure_headers/headers/x_content_type_options.rb,
lib/secure_headers/headers/content_security_policy.rb,
lib/secure_headers/headers/strict_transport_security.rb,
lib/secure_headers/headers/content_security_policy_config.rb,
lib/secure_headers/headers/expect_certificate_transparency.rb,
lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
Overview
Provide SecureHeaders::OPT_OUT as a config value to disable a given header
Defined Under Namespace
Modules: DynamicConfig, HashHelper, PolicyManagement, ViewHelpers Classes: ClearSiteData, ClearSiteDataConfigError, Configuration, ContentSecurityPolicy, ContentSecurityPolicyConfig, ContentSecurityPolicyConfigError, ContentSecurityPolicyReportOnlyConfig, Cookie, CookiesConfig, CookiesConfigError, ExpectCertificateTransparency, ExpectCertificateTransparencyConfigError, Middleware, NoOpHeaderConfig, Railtie, ReferrerPolicy, ReferrerPolicyConfigError, STSConfigError, StrictTransportSecurity, XContentTypeOptions, XContentTypeOptionsConfigError, XDOConfigError, XDownloadOptions, XFOConfigError, XFrameOptions, XPCDPConfigError, XPermittedCrossDomainPolicies, XXssProtection, XXssProtectionConfigError
Constant Summary collapse
- OPT_OUT =
NoOpHeaderConfig.instance
- SECURE_HEADERS_CONFIG =
"secure_headers_request_config".freeze
- NONCE_KEY =
"secure_headers_content_security_policy_nonce".freeze
- HTTPS =
"https".freeze
- CSP =
ContentSecurityPolicy
- VERSION =
"7.1.0"
Class Method Summary collapse
-
.append_content_security_policy_directives(request, additions, target = nil) ⇒ Object
Public: appends source values to the current configuration.
-
.config_for(request, prevent_dup = false) ⇒ Object
Public: Retreives the config for a given header type:.
-
.content_security_policy_script_nonce(request) ⇒ Object
Public: gets or creates a nonce for CSP.
-
.content_security_policy_style_nonce(request) ⇒ Object
Public: gets or creates a nonce for CSP.
-
.header_hash_for(request) ⇒ Object
Public: Builds the hash of headers that should be applied base on the request.
-
.opt_out_of_all_protection(request) ⇒ Object
Public: opts out of setting all headers by telling secure_headers to use the NOOP configuration.
-
.opt_out_of_header(request, header_key) ⇒ Object
Public: opts out of setting a given header by creating a temporary config and setting the given headers config to OPT_OUT.
-
.override_content_security_policy_directives(request, additions, target = nil) ⇒ Object
Public: override a given set of directives for the current request.
-
.override_x_frame_options(request, value) ⇒ Object
Public: override X-Frame-Options settings for this request.
- .use_content_security_policy_named_append(request, name) ⇒ Object
-
.use_secure_headers_override(request, name) ⇒ Object
Public: specify which named override will be used for this request.
Instance Method Summary collapse
- #append_content_security_policy_directives(additions) ⇒ Object
- #content_security_policy_script_nonce ⇒ Object
- #content_security_policy_style_nonce ⇒ Object
- #opt_out_of_header(header_key) ⇒ Object
- #override_content_security_policy_directives(additions) ⇒ Object
- #override_x_frame_options(value) ⇒ Object
- #use_content_security_policy_named_append(name) ⇒ Object
-
#use_secure_headers_override(name) ⇒ Object
These methods are mixed into controllers and delegate to the class method with the same name.
Class Method Details
.append_content_security_policy_directives(request, additions, target = nil) ⇒ Object
Public: appends source values to the current configuration. If no value is set for a given directive, the value will be merged with the default-src value. If a value exists for the given directive, the values will be combined.
additions - a hash containing directives. e.g.
script_src: %w(another-host.com)
88 89 90 91 92 93 94 95 96 97 98 99 100 |
# File 'lib/secure_headers.rb', line 88 def append_content_security_policy_directives(request, additions, target = nil) config, target = config_and_target(request, target) if [:both, :enforced].include?(target) && !config.csp.opt_out? config.csp.append(additions) end if [:both, :report_only].include?(target) && !config.csp_report_only.opt_out? config.csp_report_only.append(additions) end override_secure_headers_request_config(request, config) end |
.config_for(request, prevent_dup = false) ⇒ Object
Public: Retreives the config for a given header type:
Checks to see if there is an override for this request, then Checks to see if a named override is used for this request, then Falls back to the global config
186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
# File 'lib/secure_headers.rb', line 186 def config_for(request, prevent_dup = false) config = request.env[SECURE_HEADERS_CONFIG] || Configuration.send(:default_config) # Global configs are frozen, per-request configs are not. When we're not # making modifications to the config, prevent_dup ensures we don't dup # the object unnecessarily. It's not necessarily frozen to begin with. if config.frozen? && !prevent_dup config.dup else config end end |
.content_security_policy_script_nonce(request) ⇒ Object
Public: gets or creates a nonce for CSP.
The nonce will be added to script_src
Returns the nonce
168 169 170 |
# File 'lib/secure_headers.rb', line 168 def content_security_policy_script_nonce(request) content_security_policy_nonce(request, ContentSecurityPolicy::SCRIPT_SRC) end |
.content_security_policy_style_nonce(request) ⇒ Object
Public: gets or creates a nonce for CSP.
The nonce will be added to style_src
Returns the nonce
177 178 179 |
# File 'lib/secure_headers.rb', line 177 def content_security_policy_style_nonce(request) content_security_policy_nonce(request, ContentSecurityPolicy::STYLE_SRC) end |
.header_hash_for(request) ⇒ Object
Public: Builds the hash of headers that should be applied base on the request.
StrictTransportSecurity is not applied to http requests. See #config_for to determine which config is used for a given request.
Returns a hash of header names => header values. The value returned is meant to be merged into the header value from ‘@app.call(env)` in Rack middleware.
141 142 143 144 145 146 147 148 149 150 151 |
# File 'lib/secure_headers.rb', line 141 def header_hash_for(request) prevent_dup = true config = config_for(request, prevent_dup) config.validate_config! headers = config.generate_headers if request.scheme != HTTPS headers.delete(StrictTransportSecurity::HEADER_NAME) end headers end |
.opt_out_of_all_protection(request) ⇒ Object
Public: opts out of setting all headers by telling secure_headers to use the NOOP configuration.
128 129 130 |
# File 'lib/secure_headers.rb', line 128 def opt_out_of_all_protection(request) use_secure_headers_override(request, Configuration::NOOP_OVERRIDE) end |
.opt_out_of_header(request, header_key) ⇒ Object
Public: opts out of setting a given header by creating a temporary config and setting the given headers config to OPT_OUT.
120 121 122 123 124 |
# File 'lib/secure_headers.rb', line 120 def opt_out_of_header(request, header_key) config = config_for(request) config.opt_out(header_key) override_secure_headers_request_config(request, config) end |
.override_content_security_policy_directives(request, additions, target = nil) ⇒ Object
Public: override a given set of directives for the current request. If a value already exists for a given directive, it will be overridden.
If CSP was previously OPT_OUT, a new blank policy is used.
additions - a hash containing directives. e.g.
script_src: %w(another-host.com)
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
# File 'lib/secure_headers.rb', line 60 def override_content_security_policy_directives(request, additions, target = nil) config, target = config_and_target(request, target) if [:both, :enforced].include?(target) if config.csp.opt_out? config.csp = ContentSecurityPolicyConfig.new({}) end config.csp.merge!(additions) end if [:both, :report_only].include?(target) if config.csp_report_only.opt_out? config.csp_report_only = ContentSecurityPolicyReportOnlyConfig.new({}) end config.csp_report_only.merge!(additions) end override_secure_headers_request_config(request, config) end |
.override_x_frame_options(request, value) ⇒ Object
Public: override X-Frame-Options settings for this request.
value - deny, sameorigin, or allowall
Returns the current config
112 113 114 115 116 |
# File 'lib/secure_headers.rb', line 112 def (request, value) config = config_for(request) config.(value) override_secure_headers_request_config(request, config) end |
.use_content_security_policy_named_append(request, name) ⇒ Object
102 103 104 105 |
# File 'lib/secure_headers.rb', line 102 def use_content_security_policy_named_append(request, name) additions = SecureHeaders::Configuration.named_appends(name).call(request) append_content_security_policy_directives(request, additions) end |
.use_secure_headers_override(request, name) ⇒ Object
Public: specify which named override will be used for this request. Raises an argument error if no named override exists.
name - the name of the previously configured override.
157 158 159 160 161 |
# File 'lib/secure_headers.rb', line 157 def use_secure_headers_override(request, name) config = config_for(request) config.override(name) override_secure_headers_request_config(request, config) end |
Instance Method Details
#append_content_security_policy_directives(additions) ⇒ Object
265 266 267 |
# File 'lib/secure_headers.rb', line 265 def append_content_security_policy_directives(additions) SecureHeaders.append_content_security_policy_directives(request, additions) end |
#content_security_policy_script_nonce ⇒ Object
253 254 255 |
# File 'lib/secure_headers.rb', line 253 def content_security_policy_script_nonce SecureHeaders.content_security_policy_script_nonce(request) end |
#content_security_policy_style_nonce ⇒ Object
257 258 259 |
# File 'lib/secure_headers.rb', line 257 def content_security_policy_style_nonce SecureHeaders.content_security_policy_style_nonce(request) end |
#opt_out_of_header(header_key) ⇒ Object
261 262 263 |
# File 'lib/secure_headers.rb', line 261 def opt_out_of_header(header_key) SecureHeaders.opt_out_of_header(request, header_key) end |
#override_content_security_policy_directives(additions) ⇒ Object
269 270 271 |
# File 'lib/secure_headers.rb', line 269 def override_content_security_policy_directives(additions) SecureHeaders.override_content_security_policy_directives(request, additions) end |
#override_x_frame_options(value) ⇒ Object
273 274 275 |
# File 'lib/secure_headers.rb', line 273 def (value) SecureHeaders.(request, value) end |
#use_content_security_policy_named_append(name) ⇒ Object
277 278 279 |
# File 'lib/secure_headers.rb', line 277 def use_content_security_policy_named_append(name) SecureHeaders.use_content_security_policy_named_append(request, name) end |
#use_secure_headers_override(name) ⇒ Object
These methods are mixed into controllers and delegate to the class method with the same name.
249 250 251 |
# File 'lib/secure_headers.rb', line 249 def use_secure_headers_override(name) SecureHeaders.use_secure_headers_override(request, name) end |