Class: SecureHeaders::Configuration

Inherits:
Object
  • Object
show all
Defined in:
lib/secure_headers/configuration.rb

Defined Under Namespace

Classes: AlreadyConfiguredError, IllegalPolicyModificationError, NotYetConfiguredError

Constant Summary collapse

DEFAULT_CONFIG =
:default
NOOP_OVERRIDE =
"secure_headers_noop_override"
CONFIG_ATTRIBUTES_TO_HEADER_CLASSES =
{
  hsts: StrictTransportSecurity,
  x_frame_options: XFrameOptions,
  x_content_type_options: XContentTypeOptions,
  x_xss_protection: XXssProtection,
  x_download_options: XDownloadOptions,
  x_permitted_cross_domain_policies: XPermittedCrossDomainPolicies,
  referrer_policy: ReferrerPolicy,
  clear_site_data: ClearSiteData,
  expect_certificate_transparency: ExpectCertificateTransparency,
  csp: ContentSecurityPolicy,
  csp_report_only: ContentSecurityPolicy,
  cookies: Cookie,
}.freeze
CONFIG_ATTRIBUTES =
CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys.freeze
VALIDATABLE_ATTRIBUTES =

The list of attributes that must respond to a ‘validate_config!` method

CONFIG_ATTRIBUTES
HEADERABLE_ATTRIBUTES =

The list of attributes that must respond to a ‘make_header` method

(CONFIG_ATTRIBUTES - [:cookies]).freeze
HASH_CONFIG_FILE =
ENV["secure_headers_generated_hashes_file"] || "config/secure_headers_generated_hashes.yml"

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(&block) ⇒ Configuration

Returns a new instance of Configuration.



158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# File 'lib/secure_headers/configuration.rb', line 158

def initialize(&block)
  @cookies = self.class.send(:deep_copy_if_hash, Cookie::COOKIE_DEFAULTS)
  @clear_site_data = nil
  @csp = nil
  @csp_report_only = nil
  @hsts = nil
  @x_content_type_options = nil
  @x_download_options = nil
  @x_frame_options = nil
  @x_permitted_cross_domain_policies = nil
  @x_xss_protection = nil
  @expect_certificate_transparency = nil

  self.referrer_policy = OPT_OUT
  self.csp = ContentSecurityPolicyConfig.new(ContentSecurityPolicyConfig::DEFAULT)
  self.csp_report_only = OPT_OUT

  instance_eval(&block) if block_given?
end

Class Method Details

.default(&block) ⇒ Object Also known as: configure

Public: Set the global default configuration.

Optionally supply a block to override the defaults set by this library.

Returns the newly created config.



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# File 'lib/secure_headers/configuration.rb', line 17

def default(&block)
  if defined?(@default_config)
    raise AlreadyConfiguredError, "Policy already configured"
  end

  # Define a built-in override that clears all configuration options and
  # results in no security headers being set.
  override(NOOP_OVERRIDE) do |config|
    CONFIG_ATTRIBUTES.each do |attr|
      config.instance_variable_set("@#{attr}", OPT_OUT)
    end
  end

  new_config = new(&block).freeze
  new_config.validate_config!
  @default_config = new_config
end

.dupObject



71
72
73
# File 'lib/secure_headers/configuration.rb', line 71

def dup
  default_config.dup
end

.named_append(name, &block) ⇒ Object



62
63
64
65
66
67
68
69
# File 'lib/secure_headers/configuration.rb', line 62

def named_append(name, &block)
  @appends ||= {}
  raise "Provide a configuration block" unless block_given?
  if named_append_or_override_exists?(name)
    raise AlreadyConfiguredError, "Configuration already exists"
  end
  @appends[name] = block
end

.named_appends(name) ⇒ Object



57
58
59
60
# File 'lib/secure_headers/configuration.rb', line 57

def named_appends(name)
  @appends ||= {}
  @appends[name]
end

.override(name, &block) ⇒ Object

Public: create a named configuration that overrides the default config.

name - use an idenfier for the override config. base - override another existing config, or override the default config if no value is supplied.

Returns: the newly created config



43
44
45
46
47
48
49
50
# File 'lib/secure_headers/configuration.rb', line 43

def override(name, &block)
  @overrides ||= {}
  raise "Provide a configuration block" unless block_given?
  if named_append_or_override_exists?(name)
    raise AlreadyConfiguredError, "Configuration already exists"
  end
  @overrides[name] = block
end

.overrides(name) ⇒ Object



52
53
54
55
# File 'lib/secure_headers/configuration.rb', line 52

def overrides(name)
  @overrides ||= {}
  @overrides[name]
end

Instance Method Details

#csp=(new_csp) ⇒ Object



246
247
248
249
250
251
252
253
254
255
256
257
# File 'lib/secure_headers/configuration.rb', line 246

def csp=(new_csp)
  case new_csp
  when OPT_OUT
    @csp = new_csp
  when ContentSecurityPolicyConfig
    @csp = new_csp
  when Hash
    @csp = ContentSecurityPolicyConfig.new(new_csp)
  else
    raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
  end
end

#csp_report_only=(new_csp) ⇒ Object

Configures the content-security-policy-report-only header. ‘new_csp` cannot contain `report_only: false` or an error will be raised.

NOTE: if csp has not been configured/has the default value when configuring csp_report_only, the code will assume you mean to only use report-only mode and you will be opted-out of enforce mode.



265
266
267
268
269
270
271
272
273
274
275
276
277
278
# File 'lib/secure_headers/configuration.rb', line 265

def csp_report_only=(new_csp)
  case new_csp
  when OPT_OUT
    @csp_report_only = new_csp
  when ContentSecurityPolicyReportOnlyConfig
    @csp_report_only = new_csp.dup
  when ContentSecurityPolicyConfig
    @csp_report_only = new_csp.make_report_only
  when Hash
    @csp_report_only = ContentSecurityPolicyReportOnlyConfig.new(new_csp)
  else
    raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
  end
end

#dupObject

Public: copy everything

Returns a deep-dup’d copy of this configuration.



181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# File 'lib/secure_headers/configuration.rb', line 181

def dup
  copy = self.class.new
  copy.cookies = self.class.send(:deep_copy_if_hash, @cookies)
  copy.csp = @csp.dup if @csp
  copy.csp_report_only = @csp_report_only.dup if @csp_report_only
  copy.x_content_type_options = @x_content_type_options
  copy.hsts = @hsts
  copy.x_frame_options = @x_frame_options
  copy.x_xss_protection = @x_xss_protection
  copy.x_download_options = @x_download_options
  copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
  copy.clear_site_data = @clear_site_data
  copy.expect_certificate_transparency = @expect_certificate_transparency
  copy.referrer_policy = @referrer_policy
  copy
end

#generate_headersObject



210
211
212
213
214
215
216
217
218
219
220
# File 'lib/secure_headers/configuration.rb', line 210

def generate_headers
  headers = {}
  HEADERABLE_ATTRIBUTES.each do |attr|
    klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
    header_name, value = klass.make_header(instance_variable_get("@#{attr}"))
    if header_name && value
      headers[header_name] = value
    end
  end
  headers
end

#opt_out(header) ⇒ Object



222
223
224
# File 'lib/secure_headers/configuration.rb', line 222

def opt_out(header)
  send("#{header}=", OPT_OUT)
end

#override(name = nil, &block) ⇒ Object

Public: Apply a named override to the current config

Returns self



201
202
203
204
205
206
207
208
# File 'lib/secure_headers/configuration.rb', line 201

def override(name = nil, &block)
  if override = self.class.overrides(name)
    instance_eval(&override)
  else
    raise ArgumentError.new("no override by the name of #{name} has been configured")
  end
  self
end

#secure_cookies=(secure_cookies) ⇒ Object

Raises:

  • (ArgumentError)


242
243
244
# File 'lib/secure_headers/configuration.rb', line 242

def secure_cookies=(secure_cookies)
  raise ArgumentError, "#{Kernel.caller.first}: `#secure_cookies=` is no longer supported. Please use `#cookies=` to configure secure cookies instead."
end

#update_x_frame_options(value) ⇒ Object



226
227
228
# File 'lib/secure_headers/configuration.rb', line 226

def update_x_frame_options(value)
  @x_frame_options = value
end

#validate_config!Object

Public: validates all configurations values.

Raises various configuration errors if any invalid config is detected.

Returns nothing



235
236
237
238
239
240
# File 'lib/secure_headers/configuration.rb', line 235

def validate_config!
  VALIDATABLE_ATTRIBUTES.each do |attr|
    klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
    klass.validate_config!(instance_variable_get("@#{attr}"))
  end
end