github
/
secure_headers
зеркало из https://github.com/github/secure_headers.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bump to 5.0.0 and update docs with upgrade guide

This commit is contained in:
Neil Matatall 2017-10-04 08:48:53 -10:00
Родитель 4e1b8c2654
Коммит cc3d97b1da
6 изменённых файлов: 27 добавлений и 28 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
CHANGELOG.md
Просмотреть файл

@ -1,10 +1,14 @@
## 5.0.0
Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](docs/upgrading-to-5-0.md) guide.
## 4.0.1
- Adds support for `worker-src` CSP directive to 4.x line (https://github.com/twitter/secureheaders/pull/364)
## 4.0
- See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
- See the [upgrading to 4.0](docs/upgrading-to-4-0.md) guide. Lots of breaking changes.
## 3.7.2
@ -322,7 +326,7 @@ Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (a
## 3.0.0
secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
## 2.5.1 - 2016-02-16 18:11:11 UTC - Remove noisy deprecation warning

6
README.md
Просмотреть файл

@ -1,8 +1,8 @@
# Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
**master represents the unreleased 4.x line**. See the [upgrading to 4.x doc](upgrading-to-4-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
**master represents 5.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md) and [upgrading to 5.x doc](docs/upgrading-to-5-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
@ -55,7 +55,7 @@ If you do not supply a `default` configuration, exceptions will be raised. If yo
All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely.
**Word of caution:** The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
**Word of caution:** The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
```ruby
SecureHeaders::Configuration.default do |config|

0
upgrading-to-3-0.md → docs/upgrading-to-3-0.md
Просмотреть файл

22
upgrading-to-4-0.md → docs/upgrading-to-4-0.md
Просмотреть файл

@ -1,26 +1,6 @@
### Breaking Changes
The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break. This should not break brand new projects using secure_headers either.
## All cookies default to secure/httponly/SameSite=Lax
By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
```ruby
# specific opt outs
config.cookies = {
secure: SecureHeaders::OPT_OUT,
httponly: SecureHeaders::OPT_OUT,
samesite: SecureHeaders::OPT_OUT,
}
# nuclear option, just make things work again
config.cookies = SecureHeaders::OPT_OUT
```
## script_src must be set
Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
However, sometimes you really don't need a `script-src` e.g. API responses (`default-src 'none'`) so you can set `script_src: SecureHeaders::OPT_OUT` to work around this.

15
docs/upgrading-to-5-0.md Normal file
Просмотреть файл

@ -0,0 +1,15 @@
## All cookies default to secure/httponly/SameSite=Lax
By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
```ruby
# specific opt outs
config.cookies = {
secure: SecureHeaders::OPT_OUT,
httponly: SecureHeaders::OPT_OUT,
samesite: SecureHeaders::OPT_OUT,
}
# nuclear option, just make things work again
config.cookies = SecureHeaders::OPT_OUT
```

4
secure_headers.gemspec
Просмотреть файл

@ -2,7 +2,7 @@
# frozen_string_literal: true
Gem::Specification.new do |gem|
gem.name = "secure_headers"
gem.version = "4.0.1"
gem.version = "5.0.0.alpha01"
gem.authors = ["Neil Matatall"]
gem.email = ["neil.matatall@gmail.com"]
gem.description = "Manages application of security headers with many safe defaults."
@ -22,7 +22,7 @@ Gem::Specification.new do |gem|
gem.post_install_message = <<-POST_INSTALL
**********
:wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
**********
POST_INSTALL