Manages application of security headers with many safe defaults
Перейти к файлу
Nate Collings 69f9a3d4b7 Rails 4 specs 2015-01-18 15:51:59 -07:00
fixtures Rails 4 specs 2015-01-18 15:51:59 -07:00
lib Proper X-Content-Type-Options name 2015-01-18 15:48:38 -07:00
spec Merge pull request #123 from stve/x-permitted-cross-domain-policies 2014-11-19 22:12:40 -08:00
.gitignore update .gitignore 2014-10-14 23:14:08 -07:00
.ruby-gemset rvmrc change 2014-06-09 14:12:36 -07:00
.ruby-version rvmrc change 2014-06-09 14:12:36 -07:00
.travis.yml Update .travis.yml 2014-12-17 12:15:07 -08:00
Gemfile Kill guard 2014-12-05 18:02:29 -08:00
LICENSE Initial Commit 2013-01-22 15:21:54 -08:00
README.md Update README.md 2014-12-05 18:09:15 -08:00
Rakefile Rails 4 specs 2015-01-18 15:51:59 -07:00
secure_headers.gemspec Update secure_headers.gemspec 2014-11-19 23:30:27 -08:00
travis.sh Fix 1.9.3 syntax issue and Gems 2013-02-19 16:33:20 -08:00

README.md

SecureHeaders Build Status Code Climate Coverage Status

The gem will automatically apply several headers that are related to security. This includes:

Usage

  • ensure_security_headers in a controller will set security-related headers automatically based on the configuration below.

Disabling

Use the standard skip_before_filter :filter_name, options mechanism. e.g. skip_before_filter :set_csp_header, :only => :tinymce_page

The following methods are going to be called, unless they are provided in a skip_before_filter block.

  • :set_csp_header
  • :set_hsts_header
  • :set_x_frame_options_header
  • :set_x_xss_protection_header
  • :set_x_content_type_options_header
  • :set_x_download_options_header
  • :set_x_permitted_cross_domain_policies_header

Bonus Features

This gem makes a few assumptions about how you will use some features. For example:

  • It fills any blank directives with the value in :default_src Getting a default-src report is pretty useless. This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true. This is referred to as the "effective-directive" in the spec, but is not well supported as of Nov 5, 2013.

Configuration

Place the following in an initializer (recommended):

::SecureHeaders::Configuration.configure do |config|
  config.hsts = {:max_age => 20.years.to_i, :include_subdomains => true}
  config.x_frame_options = 'DENY'
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = {:value => 1, :mode => 'block'}
  config.x_download_options = 'noopen'
  config.x_permitted_cross_domain_policies = 'none'
  config.csp = {
    :default_src => "https: self",
    :frame_src => "https: http:.twimg.com http://itunes.apple.com",
    :img_src => "https:",
    :report_uri => '//example.com/uri-directive'
  }
end

# and then simply include this in application_controller.rb
class ApplicationController < ActionController::Base
  ensure_security_headers
end

Or simply add it to application controller

ensure_security_headers(
  :hsts => {:include_subdomains => true, :max_age => 20.years.to_i},
  :x_frame_options => 'DENY',
  :csp => false
)

Options for ensure_security_headers

To disable any of these headers, supply a value of false (e.g. :hsts => false), supplying nil will set the default value

Each header configuration can take a hash, or a string, or both. If a string is provided, that value is inserted verbatim. If a hash is supplied, a header will be constructed using the supplied options.

The Easy Headers

This configuration will likely work for most applications without modification.

:hsts             => {:max_age => 631138519, :include_subdomains => false}
:x_frame_options  => {:value => 'SAMEORIGIN'}
:x_xss_protection => {:value => 1, :mode => 'block'}  # set the :mode option to false to use "warning only" mode
:x_content_type_options => {:value => 'nosniff'}
:x_download_options => {:value => 'noopen'}
:x_permitted_cross_domain_policies => {:value => 'none'}

Content Security Policy (CSP)

:csp => {
  :enforce     => false,        # sets header to report-only, by default
  # default_src is required!
  :default_src     => nil,      # sets the default-src/allow+options directives

  # Where reports are sent. Use protocol relative URLs if you are posting to the same domain (TLD+1). Use paths if you are posting to the application serving the header
  :report_uri  => '//mysite.example.com',

  # these directives all take 'none', 'self', or a globbed pattern
  :img_src     => nil,
  :frame_src   => nil,
  :connect_src => nil,
  :font_src    => nil,
  :media_src   => nil,
  :object_src  => nil,
  :style_src   => nil,
  :script_src  => nil,

  # http additions will be appended to the various directives when
  # over http, relaxing the policy
  # e.g.
  # :csp => {
  #   :img_src => 'https:',
  #   :http_additions => {:img_src => 'http'}
  # }
  # would produce the directive: "img-src https: http:;"
  # when over http, ignored for https requests
  :http_additions => {}
}

Example CSP header config

# most basic example
:csp => {
  :default_src => "https: inline eval",
  :report_uri => '/uri-directive'
}

> "default-src 'unsafe-inline' 'unsafe-eval' https:; report-uri /uri-directive;"

# turn off inline scripting/eval
:csp => {
  :default_src => 'https:',
  :report_uri => '/uri-directive'
}

> "default-src  https:; report-uri /uri-directive;"

# Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
:csp => {
  :default_src => 'self',
  :img_src => '*',
  :object_src => ['media1.com', 'media2.com', '*.cdn.com'],
  # alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com'
  :script_src => 'trustedscripts.example.com'
}
"default-src  'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"

Tagging Requests

It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"

{
  :tag_report_uri => true,
  :enforce => true,
  :app_name => 'twitter',
  :report_uri => 'csp_reports'
}

Results in

report-uri csp_reports?enforce=true&app_name=twitter

CSP Level 2 features

NOTE: Currently, only erb is supported. Mustache support isn't far off. Hash sources are valid for inline style blocks but are not yet supported by secure_headers.

Nonce

script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.

Setting a nonce will also set 'unsafe-inline' for browsers that don't support nonces for backwards compatibility. 'unsafe-inline' is ignored if a nonce is present in a directive in compliant browsers.

:csp => {
  :default_src => 'self',
  :script_src => 'self nonce'
}

content-security-policy: default-src 'self'; script-src 'self' 'nonce-abc123' 'unsafe-inline'

<script nonce="<%= @content_security_policy_nonce %>">
  console.log("whitelisted, will execute")
</script>

<script nonce="lol">
  console.log("won't execute, not whitelisted")
</script>

<script>
  console.log("won't execute, not whitelisted")
</script>

You can use a view helper to automatically add nonces to script tags:

<%= nonced_javascript_tag do %>
  console.log("nonced!")
<% end %>
<%= nonced_javascript_tag("nonced without a block!") %>

becomes:

<script nonce="/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=">
console.log("nonced!")
</script>

Hash

setting hash source values will also set 'unsafe-inline' for browsers that don't support hash sources for backwards compatibility. 'unsafe-inline' is ignored if a hash is present in a directive in compliant browsers.

Hash source support works by taking the hash value of the contents of an inline script block and adding the hash "fingerprint" to the CSP header.

If you only have a few hashes, you can hardcode them for the entire app:

  config.csp = {
    :default_src => "https:",
    :script_src => 'self'
    :script_hashes => ['sha1-abc', 'sha1-qwe']
  }

The following will work as well, but may not be as clear:

  config.csp = {
    :default_src => "https:",
    :script_src => "self 'sha1-qwe'"
  }

If you find you have many hashes or the content of the script tags change frequently, you can apply these hashes in a more intelligent way. This method expects config/script_hashes.yml to contain a map of templates => [hashes]. When the individual templates, layouts, or partials are rendered the hash values for the script tags in those templates will be automatically added to the header. Currently, only erb layouts are supported. This requires the use of middleware:

# config.ru
require 'secure_headers/headers/content_security_policy/script_hash_middleware'
use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware
  config.csp = {
    :default_src => "https:",
    :script_src => 'self',
    :script_hash_middleware => true
  }

Hashes are stored in a yaml file with a mapping of Filename => [list of hashes] in config/script_hashes.yml. You can automatically populate this file by running the following rake task:

$ bundle exec rake secure_headers:generate_hashes

Which will generate something like:

# config/script_hashes.yml
app/views/layouts/application.html.erb:
- sha256-l8OLjZqYRnKilpdE0VosRMvhdYArjXT4NZaK2p7QVvs=
app/templates/articles/edit.html.erb:
- sha256-+7mij1/uCwtCQRWrof2NmOln5qX+5WdVwTLMpi8nuoA=
- sha256-Ny4TRIhhFpnYnSeKC274P6bfAz4TOkezLabavIAU4dA=
- sha256-I5e58Gqbu4WpO9dck18QxO7aYOHKrELIi70it4jIPi0=
- sha256-Po4LMynwnAJHxiTp3DQaQ3YDBj3paN/xrDoKl4OyxY4=

In this example, if we visit /articles/edit/[id], the above hashes will automatically be added to the CSP header's script-src value!

You can use plain "script" tags or you can use a built-in helper:

<%= hashed_javascript_tag do %>
console.log("hashed automatically!")
<% end %>

By using the helper, hash values will be computed dynamically in development/test environments. If a dynamically computed hash value does not match what is expected to be found in config/script_hashes.yml a warning message will be printed to the console. If you want to raise exceptions instead, use:

<%= hashed_javascript_tag(raise_error_on_unrecognized_hash = true) do %>
console.log("will raise an exception if not in script_hashes.yml!")
<% end %>

Using with Sinatra

Here's an example using SecureHeaders for Sinatra applications:

require 'rubygems'
require 'sinatra'
require 'haml'
require 'secure_headers'

::SecureHeaders::Configuration.configure do |config|
  config.hsts = {:max_age => 99, :include_subdomains => true}
  config.x_frame_options = 'DENY'
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = {:value => 1, :mode => false}
  config.x_download_options = 'noopen'
  config.x_permitted_cross_domain_policies = 'none'
  config.csp = {
    :default_src => "https: inline eval",
    :report_uri => '//example.com/uri-directive',
    :img_src => "https: data:",
    :frame_src => "https: http:.twimg.com http://itunes.apple.com"
  }
end

class Donkey < Sinatra::Application
  include SecureHeaders
  set :root, APP_ROOT

  get '/' do
    set_csp_header
    haml :index
  end
end

Using with Padrino

You can use SecureHeaders for Padrino applications as well:

In your Gemfile:

  gem "secure_headers", :require => 'secure_headers'

then in your app.rb file you can:

require 'secure_headers/padrino'

module Web
  class App < Padrino::Application
    register SecureHeaders::Padrino

    get '/' do
      set_csp_header
      render 'index'
    end
  end
end

and in config/boot.rb:

def before_load
  ::SecureHeaders::Configuration.configure do |config|
    config.hsts                   = {:max_age => 99, :include_subdomains => true}
    config.x_frame_options        = 'DENY'
    config.x_content_type_options = "nosniff"
    config.x_xss_protection       = {:value   => '1', :mode => false}
    config.x_download_options     = 'noopen'
    config.x_permitted_cross_domain_policies = 'none'
    config.csp                    = {
      :default_src => "https: inline eval",
      :report_uri => '//example.com/uri-directive',
      :img_src => "https: data:",
      :frame_src => "https: http:.twimg.com http://itunes.apple.com"
    }
  end
end

Similar libraries

Authors

  • Neil Matatall @ndm - primary author.
  • Nicholas Green @nickgreen - code contributions, main reviewer.

Acknowledgements

  • Justin Collins @presidentbeef & Jim O'Leary @jimio for reviews.
  • Ian Melven @imelven - Discussions/info about CSP in general, made us aware of the userCSP Mozilla extension.
  • Sumit Shah @omnidactyl - For being an eager guinea pig.
  • Chris Aniszczyk @cra - For running an awesome open source program at Twitter.

License

Copyright 2013-2014 Twitter, Inc and other contributors.

Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0