Project

rack-padlock

0.0
No commit activity in last 3 years
No release in over 3 years
rack-padlockjoshuacronemeyer/rack-padlockHomepageDocumentationSource CodeBug TrackerWiki
A Gem for testing web applications don't generate mixed secure/insecure traffic. Keep that browser padlock locked!
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
9,335
Stars
0
Forks
0
Watchers
2
 Releases
Current version
0.0.3
Total releases
3
First release
2013-02-07
Latest release
2013-02-12
 Issues
Open Issues
2
Closed Issues
0
Total Issues
2
Issue Closure Rate
0%
 Development
Primary Language
Ruby
Average date of last 50 commits
2013-02-09
Reverse Dependencies
0

 Dependencies

Development

bundler
>= 0
minitest
>= 0
rack-test
>= 0
rake
>= 0

Runtime

rack
>= 0
rainbow
>= 0
selenium-webdriver
>= 0
 Project Readme

rack-padlock

A toolkit for rack applications that ensures ALL content on a page adheres to your Content Security Policy. The browser padlock is pretty important for commercial web applications. Modern sites rely on so many third party services: analytics, video players, social media widgets. With all these moving parts it's easy to end up with a broken padlock. Rack-Padlock will increase the visibility of padlock problems to your development team, and it's dead easy to use.

Prerequisites

All you need to have is a rack based application! (Rails, Sinatra, Camping, etc...)

Setup

Add rack-padlock gem to your test group

group :test do
  gem 'rack-padlock'
end

Add rack-padlock rake tasks to your app

require 'rack/padlock'
load 'tasks/rack-padlock.rake'

Specify what url's you want to test somewhere in your Rakefile

Rack::Padlock.padlock_uris = ["/secure", "/insecure"]

If your application isn't a Rails app, then you need to add an environment rake task to your Rakefile like this

desc "setup application environment"
task :environment do
  require 'your rack application'
  Rack::Padlock.application = YourRackApplication
  Rack::Padlock.padlock_uris = ["/secure", "/insecure"]
end

Running Tests

Once you've set things up simply run

rake padlock

This will run the padlock tests. If any of your integration tests mix secure and insecure content, the padlock test will fail. alt text

Example rack application

Have a look at a simple sinatra application that demonstrates rack-padlock at https://github.com/joshuacronemeyer/rack-padlock-example-app

How it works

Rack-Padlock starts your Rack app up with an SSL enabled webrick server. It puts a custom middleware in front of your application that implements a CSP policy. That policy requires the browser to notify us of any non SSL activity. The custom middleware intercepts these notifications and logs them. At the end of the run the rack-padlock test will either succeed or fail based on the presence of any policy violations.

Not perfect

I have noticed that CSP doesn't check resources requested by Flash. But google chrome will break the padlock when flash requests non-secure resources.