Manages application of security headers with many safe defaults

content-security-policy cookie csp hsts middleware rack referrer-policy ruby secure-headers xframe-options

Перейти к файлу

Neil Matatall 87dba71b92 consolidate escape sequence capturing in one validation, add suspenders to check if one snuck by		2020-01-23 12:45:49 -10:00
.github	Add basic checklist to PR template	2016-07-08 16:38:36 -10:00
docs	Fix references to OPT_OUT constant	2020-01-11 12:42:22 +09:00
lib	consolidate escape sequence capturing in one validation, add suspenders to check if one snuck by	2020-01-23 12:45:49 -10:00
spec	consolidate escape sequence capturing in one validation, add suspenders to check if one snuck by	2020-01-23 12:45:49 -10:00
.gitignore	cleanup .gitignore	2016-03-01 01:22:07 -10:00
.rspec	remove rspec block notation from Rakefile	2017-06-02 15:40:37 -04:00
.rubocop.yml	add rubocop-github	2017-06-01 23:45:03 -04:00
.ruby-gemset	rvmrc change	2014-06-09 14:12:36 -07:00
.ruby-version	ok, maybe not that recent	2020-01-07 15:55:19 -10:00
.travis.yml	let's get some more modern ruby while we're at it	2020-01-07 15:54:45 -10:00
CHANGELOG.md	bump to 6.3	2020-01-21 13:05:37 -10:00
CODE_OF_CONDUCT.md	Create CODE_OF_CONDUCT.md	2017-04-21 09:17:33 -10:00
CONTRIBUTING.md	Update CONTRIBUTING.md	2017-06-20 07:42:02 -10:00
Gemfile	pin rubocop to 'legacy' rubocop-github https://github.com/github/rubocop-github#legacy-usage	2020-01-07 15:44:53 -10:00
Guardfile	fix rubocop violations	2017-06-01 23:45:03 -04:00
LICENSE	Do years even matter?	2020-01-21 07:28:21 -10:00
README.md	Remove outdated APL license blurb from readme, use only the LICENSE file	2020-01-21 07:28:51 -10:00
Rakefile	remove rspec block notation from Rakefile	2017-06-02 15:40:37 -04:00
secure_headers.gemspec	clean up some linter errors showing up in newer CI	2019-06-25 14:22:52 -10:00

README.md

Secure Headers

master represents 6.x line. See the upgrading to 4.x doc, upgrading to 5.x doc, or upgrading to 6.x doc for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.

The gem will automatically apply several headers that are related to security. This includes:

Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. CSP 2 Specification
HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. HSTS Specification
X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. X-Frame-Options Specification
X-XSS-Protection - Cross site scripting heuristic filter for IE/Chrome
X-Content-Type-Options - Prevent content type sniffing
X-Download-Options - Prevent file downloads opening
X-Permitted-Cross-Domain-Policies - Restrict Adobe Flash Player's access to data
Referrer-Policy - Referrer Policy draft
Expect-CT - Only use certificates that are present in the certificate transparency logs. Expect-CT draft specification.
Clear-Site-Data - Clearing browser data for origin. Clear-Site-Data specification.

It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using config.cookies = SecureHeaders::OPT_OUT.

secure_headers is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.

Documentation

Configuration

If you do not supply a default configuration, exceptions will be raised. If you would like to use a default configuration (which is fairly locked down), just call SecureHeaders::Configuration.default without any arguments or block.

All nil values will fallback to their default values. SecureHeaders::OPT_OUT will disable the header entirely.

Word of caution: The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.

SecureHeaders::Configuration.default do |config|
  config.cookies = {
    secure: true, # mark all cookies as "Secure"
    httponly: true, # mark all cookies as "HttpOnly"
    samesite: {
      lax: true # mark all cookies as SameSite=lax
    }
  }
  # Add "; preload" and submit the site to hstspreload.org for best protection.
  config.hsts = "max-age=#{1.week.to_i}"
  config.x_frame_options = "DENY"
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = "1; mode=block"
  config.x_download_options = "noopen"
  config.x_permitted_cross_domain_policies = "none"
  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
  config.csp = {
    # "meta" values. these will shape the header, but the values are not included in the header.
    preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
    disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.

    # directive values: these values will directly translate into source directives
    default_src: %w('none'),
    base_uri: %w('self'),
    block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
    child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
    connect_src: %w(wss:),
    font_src: %w('self' data:),
    form_action: %w('self' github.com),
    frame_ancestors: %w('none'),
    img_src: %w(mycdn.com data:),
    manifest_src: %w('self'),
    media_src: %w(utoob.com),
    object_src: %w('self'),
    sandbox: true, # true and [] will set a maximally restrictive setting
    plugin_types: %w(application/x-shockwave-flash),
    script_src: %w('self'),
    style_src: %w('unsafe-inline'),
    worker_src: %w('self'),
    upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
    report_uri: %w(https://report-uri.io/example-csp)
  }
  # This is available only from 3.5.0; use the `report_only: true` setting for 3.4.1 and below.
  config.csp_report_only = config.csp.merge({
    img_src: %w(somewhereelse.com),
    report_uri: %w(https://report-uri.io/example-csp-report-only)
  })
end

Default values

All headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:

Content-Security-Policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'
Strict-Transport-Security: max-age=631138519
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 1; mode=block

API configurations

Which headers you decide to use for API responses is entirely a personal choice. Things like X-Frame-Options seem to have no place in an API response and would be wasting bytes. While this is true, browsers can do funky things with non-html responses. At the minimum, we suggest CSP:

SecureHeaders::Configuration.override(:api) do |config|
  config.csp = { default_src: 'none' }
  config.hsts = SecureHeaders::OPT_OUT
  config.x_frame_options = SecureHeaders::OPT_OUT
  config.x_content_type_options = SecureHeaders::OPT_OUT
  config.x_xss_protection = SecureHeaders::OPT_OUT
  config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT
end

However, I would consider these headers anyways depending on your load and bandwidth requirements.

Similar libraries

Rack rack-secure_headers
Node.js (express) helmet and hood
Node.js (hapi) blankie
J2EE Servlet >= 3.0 headlines
ASP.NET - NWebsec
Python - django-csp + commonware; django-security
Go - secureheader
Elixir secure_headers
Dropwizard dropwizard-web-security
Ember.js ember-cli-content-security-policy
PHP secure-headers