Project

rack-secure_headers

0.01
No commit activity in last 3 years
No release in over 3 years
rack-secure_headersfrodsan/rack-secure_headersHomepageDocumentationSource CodeBug TrackerWiki
Security related HTTP headers for Rack applications
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
14,028
Stars
20
Forks
4
Watchers
1
 Releases
Current version
0.0.3
Total releases
3
First release
2015-09-21
Latest release
2016-01-01
 Issues
Open Issues
1
Closed Issues
0
Total Issues
1
Issue Closure Rate
0%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
1
Merged Pull Requests
1
Pull Request Acceptance Rate
50%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2016-09-02
Reverse Dependencies
0

 Dependencies

Development

minitest
~> 5.8
minitest-sugar
~> 2.1
rake
~> 10.0

Runtime

rack
~> 1.6
 Project Readme

rack-secure_headers Build Status

Security related HTTP headers for Rack applications.

Description

Implements OWASP's List of useful HTTP headers.

Installation

Add this line to your application's Gemfile:

gem "rack-secure_headers"

And then execute:

$ bundle

Or install it yourself as:

$ gem install rack-secure_headers

Usage

# config.ru
require "rack/secure_headers"

use(Rack::SecureHeaders, options)

Options

This is a list of the supported options included by default. To disable any default, pass nil (e.g. option: nil).

Option Header Default
:hsts Strict-Transport-Security { max_age: "31536000", include_subdomains: true }
:x_content_type_options X-Content-Type-Options "nosniff"
:x_frame_options X-Frame-Options "SAMEORIGIN"
:x_permited_cross_domain X-Permitted-Cross-Domain-Policies "none"
:x_xss_protection X-XSS-Protection "1; mode=block"

Headers

This is a list of the supported HTTP headers:

  • Strict-Transport-Security:

    Ensures the browser never visits the http version of a website. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. Supported options:

    • :max_age: The time, in seconds, that the browser should remember that the site is only to be accessed using HTTPS. Defaults to 1 year.
    • :includeSubdomains: If this is true, this rule is applied to all of the site's subdomains as well. Defaults to true.
    • :preload: A limitation of HSTS is that the initial request remains unprotected if it uses HTTP. The same applies to the first request after the activity period specified by max-age. Chrome, Firefox and IE11+ implements a "STS preloaded list", which contains known sites supporting HSTS. If you would like your domain to be included in the preloaded list, set this options to true and submit your domain to this form.

  • X-Content-Type-Options:

    Prevents IE and Chrome from content type sniffing.

  • X-Frame-Options (XFO):

    Provides Clickjacking protection. Supported values:

    • DENY - Prevents any domain from framing the content.
    • SAMEORIGIN - Only allows current site to frame the content.
    • ALLOW-FROM URI - Allows the specified URI to frame the content (only IE8+ and Firefox).

    Check the X-Frame-Options draft for more information.

  • X-Permitted-Cross-Domain-Policies:

    Restrict Adobe Flash Player's access to data. Check this article for more information.

  • X-XSS-Protection:

    Enables the XSS protection filter built into IE, Chrome and Safari. Supported values are 0, which disables the protection, 1 which enables it and 1; mode=block (default) which tells the browser to block the response if it detects an attack. This filter is usually enabled by default, the use of this header is to re-enable it if it was disabled by the user.

Use https://securityheaders.io to asses the security related HTTP headers used by your site.

TODO

  • HTTP Public Key Pinning (HPKP).
  • Content Security Policy (CSP).

Contributing

Fork the project with:

$ git clone git@github.com:frodsan/rack-secure_headers.git

To install dependencies, use:

$ bundle install

To run the test suite, do:

$ rake test

For bug reports and pull requests use GitHub.

License

This gem is released under the MIT License.