Manages application of security headers with many safe defaults
Перейти к файлу
dependabot[bot] b134eef07d
Bump ruby/setup-ruby from 1.196.0 to 1.197.0 (#530)
Bumps [ruby/setup-ruby](https://github.com/ruby/setup-ruby) from 1.196.0
to 1.197.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/ruby/setup-ruby/releases">ruby/setup-ruby's
releases</a>.</em></p>
<blockquote>
<h2>v1.197.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add some details about using asan build. by <a
href="https://github.com/ioquatix"><code>@​ioquatix</code></a> in <a
href="https://redirect.github.com/ruby/setup-ruby/pull/654">ruby/setup-ruby#654</a></li>
<li>Add truffleruby-24.1.1,truffleruby+graalvm-24.1.1 by <a
href="https://github.com/ruby-builder-bot"><code>@​ruby-builder-bot</code></a>
in <a
href="https://redirect.github.com/ruby/setup-ruby/pull/657">ruby/setup-ruby#657</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/ruby/setup-ruby/compare/v1.196.0...v1.197.0">https://github.com/ruby/setup-ruby/compare/v1.196.0...v1.197.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7bae1d00b5"><code>7bae1d0</code></a>
Add truffleruby-24.1.1,truffleruby+graalvm-24.1.1</li>
<li><a
href="4d521eadc8"><code>4d521ea</code></a>
Fix exclusion</li>
<li><a
href="1d9686e3ef"><code>1d9686e</code></a>
Mention the new ruby-asan under Supported Versions</li>
<li><a
href="bea2fb915c"><code>bea2fb9</code></a>
Add some details about using asan build.</li>
<li>See full diff in <a
href="f269373437...7bae1d00b5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ruby/setup-ruby&package-manager=github_actions&previous-version=1.196.0&new-version=1.197.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-21 13:09:59 -04:00
.github Bump ruby/setup-ruby from 1.196.0 to 1.197.0 (#530) 2024-10-21 13:09:59 -04:00
docs Upgrade version and docs to 7.0 (#528) 2024-10-16 13:18:26 -04:00
lib Upgrade version and docs to 7.0 (#528) 2024-10-16 13:18:26 -04:00
spec deprecate block-all-mixed-content (#509) 2023-07-19 07:32:07 -04:00
.gitignore cleanup .gitignore 2016-03-01 01:22:07 -10:00
.rspec remove rspec block notation from Rakefile 2017-06-02 15:40:37 -04:00
.rubocop.yml Add rubocop-performance gem and config to fix deprecation message (#430) 2020-02-20 09:26:20 -10:00
.ruby-gemset rvmrc change 2014-06-09 14:12:36 -07:00
.ruby-version Update `.ruby-version` to `3.1.1` 2022-10-24 20:30:40 -07:00
CHANGELOG.md v6.5.0 2022-10-24 12:06:30 -07:00
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 2017-04-21 09:17:33 -10:00
CONTRIBUTING.md Update CONTRIBUTING.md 2017-06-20 07:42:02 -10:00
Gemfile Make SecureSecurityPolicyConfig significantly faster (#506) 2023-08-11 14:20:28 -04:00
Guardfile fix rubocop violations 2017-06-01 23:45:03 -04:00
LICENSE Do years even matter? 2020-01-21 07:28:21 -10:00
README.md Update default X-XSS-Protection value to 0 (#479) 2024-08-08 20:09:11 -04:00
Rakefile remove rspec block notation from Rakefile 2017-06-02 15:40:37 -04:00
secure_headers.gemspec Upgrade version and docs to 7.0 (#528) 2024-10-16 13:18:26 -04:00

README.md

Secure Headers Build + Test

main branch represents 6.x line. See the upgrading to 4.x doc, upgrading to 5.x doc, or upgrading to 6.x doc for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.

The gem will automatically apply several headers that are related to security. This includes:

It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using config.cookies = SecureHeaders::OPT_OUT.

secure_headers is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.

Documentation

Configuration

If you do not supply a default configuration, exceptions will be raised. If you would like to use a default configuration (which is fairly locked down), just call SecureHeaders::Configuration.default without any arguments or block.

All nil values will fallback to their default values. SecureHeaders::OPT_OUT will disable the header entirely.

Word of caution: The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.

SecureHeaders::Configuration.default do |config|
  config.cookies = {
    secure: true, # mark all cookies as "Secure"
    httponly: true, # mark all cookies as "HttpOnly"
    samesite: {
      lax: true # mark all cookies as SameSite=lax
    }
  }
  # Add "; preload" and submit the site to hstspreload.org for best protection.
  config.hsts = "max-age=#{1.week.to_i}"
  config.x_frame_options = "DENY"
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = "1; mode=block"
  config.x_download_options = "noopen"
  config.x_permitted_cross_domain_policies = "none"
  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
  config.csp = {
    # "meta" values. these will shape the header, but the values are not included in the header.
    preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
    disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.

    # directive values: these values will directly translate into source directives
    default_src: %w('none'),
    base_uri: %w('self'),
    child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
    connect_src: %w(wss:),
    font_src: %w('self' data:),
    form_action: %w('self' github.com),
    frame_ancestors: %w('none'),
    img_src: %w(mycdn.com data:),
    manifest_src: %w('self'),
    media_src: %w(utoob.com),
    object_src: %w('self'),
    sandbox: true, # true and [] will set a maximally restrictive setting
    plugin_types: %w(application/x-shockwave-flash),
    script_src: %w('self'),
    script_src_elem: %w('self'),
    script_src_attr: %w('self'),
    style_src: %w('unsafe-inline'),
    style_src_elem: %w('unsafe-inline'),
    style_src_attr: %w('unsafe-inline'),
    worker_src: %w('self'),
    upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
    report_uri: %w(https://report-uri.io/example-csp)
  }
  # This is available only from 3.5.0; use the `report_only: true` setting for 3.4.1 and below.
  config.csp_report_only = config.csp.merge({
    img_src: %w(somewhereelse.com),
    report_uri: %w(https://report-uri.io/example-csp-report-only)
  })
end

Deprecated Configuration Values

Default values

All headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:

Content-Security-Policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'
Strict-Transport-Security: max-age=631138519
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0

API configurations

Which headers you decide to use for API responses is entirely a personal choice. Things like X-Frame-Options seem to have no place in an API response and would be wasting bytes. While this is true, browsers can do funky things with non-html responses. At the minimum, we suggest CSP:

SecureHeaders::Configuration.override(:api) do |config|
  config.csp = { default_src: 'none' }
  config.hsts = SecureHeaders::OPT_OUT
  config.x_frame_options = SecureHeaders::OPT_OUT
  config.x_content_type_options = SecureHeaders::OPT_OUT
  config.x_xss_protection = SecureHeaders::OPT_OUT
  config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT
end

However, I would consider these headers anyways depending on your load and bandwidth requirements.

Acknowledgements

This project originated within the Security team at Twitter. An archived fork from the point of transition is here: https://github.com/twitter-archive/secure_headers.

Contributors include:

  • Neil Matatall @oreoshake
  • Chris Aniszczyk
  • Artur Dryomov
  • Bjørn Mæland
  • Arthur Chiu
  • Jonathan Viney
  • Jeffrey Horn
  • David Collazo
  • Brendon Murphy
  • William Makley
  • Reed Loden
  • Noah Kantrowitz
  • Wyatt Anderson
  • Salimane Adjao Moustapha
  • Francois Chagnon
  • Jeff Hodges
  • Ian Melven
  • Darío Javier Cravero
  • Logan Hasson
  • Raul E Rangel
  • Steve Agalloco
  • Nate Collings
  • Josh Kalderimis
  • Alex Kwiatkowski
  • Julich Mera
  • Jesse Storimer
  • Tom Daniels
  • Kolja Dummann
  • Jean-Philippe Doyle
  • Blake Hitchcock
  • vanderhoorn
  • orthographic-pedant
  • Narsimham Chelluri

If you've made a contribution and see your name missing from the list, make a PR and add it!

Similar libraries