Module: SecureHeaders::InstanceMethods
- Defined in:
- lib/secure_headers.rb
Instance Method Summary collapse
- #prep_script_hash ⇒ Object
- #save_hash_for_later(payload) ⇒ Object
-
#set_csp_header(req = nil, config = nil) ⇒ Object
set_csp_header - uses the request accessor and SecureHeader::Configuration settings set_csp_header(
Rack::Request
) - uses the parameter and and SecureHeader::Configuration settings set_csp_header(Hash
) - uses the request accessor and options from parameters set_csp_header(Rack::Request
,Hash
). - #set_hpkp_header(options = ) ⇒ Object
- #set_hsts_header(options = ) ⇒ Object
- #set_security_headers(options = self.class.secure_headers_options) ⇒ Object
- #set_x_content_type_options_header(options = ) ⇒ Object
- #set_x_download_options_header(options = ) ⇒ Object
- #set_x_frame_options_header(options = ) ⇒ Object
- #set_x_permitted_cross_domain_policies_header(options = ) ⇒ Object
- #set_x_xss_protection_header(options = ) ⇒ Object
Instance Method Details
#prep_script_hash ⇒ Object
139 140 141 142 143 144 145 146 147 148 149 150 |
# File 'lib/secure_headers.rb', line 139 def prep_script_hash if ::SecureHeaders::Configuration.script_hashes @script_hashes = ::SecureHeaders::Configuration.script_hashes.dup ActiveSupport::Notifications.subscribe("render_partial.action_view") do |event_name, start_at, end_at, id, payload| save_hash_for_later payload end ActiveSupport::Notifications.subscribe("render_template.action_view") do |event_name, start_at, end_at, id, payload| save_hash_for_later payload end end end |
#save_hash_for_later(payload) ⇒ Object
152 153 154 155 156 157 158 159 160 161 162 163 164 165 |
# File 'lib/secure_headers.rb', line 152 def save_hash_for_later payload matching_hashes = @script_hashes[payload[:identifier].gsub(Rails.root.to_s + "/", "")] || [] if payload[:layout] # We're assuming an html.erb layout for now. Will need to handle mustache too, just not sure of the best way to do this layout_hashes = @script_hashes[File.join("app", "views", payload[:layout]) + '.html.erb'] matching_hashes << layout_hashes if layout_hashes end if matching_hashes.any? request.env[HASHES_ENV_KEY] = ((request.env[HASHES_ENV_KEY] || []) << matching_hashes).flatten end end |
#set_csp_header(req = nil, config = nil) ⇒ Object
set_csp_header - uses the request accessor and SecureHeader::Configuration settings set_csp_header(Rack::Request
) - uses the parameter and and SecureHeader::Configuration settings set_csp_header(Hash
) - uses the request accessor and options from parameters set_csp_header(Rack::Request
, Hash
)
120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 |
# File 'lib/secure_headers.rb', line 120 def set_csp_header(req = nil, config=nil) if req.is_a?(Hash) || req.is_a?(FalseClass) config = req end config = self.class.[:csp] if config.nil? config = :csp, config return if config == false if config && config[:script_hash_middleware] ContentSecurityPolicy.add_to_env(request, self, config) else csp_header = ContentSecurityPolicy.new(config, :request => request, :controller => self) set_header(csp_header) end end |
#set_hpkp_header(options = ) ⇒ Object
184 185 186 187 188 189 190 191 192 |
# File 'lib/secure_headers.rb', line 184 def set_hpkp_header(=self.class.[:hpkp]) return unless request.ssl? config = :hpkp, return if config == false || config.nil? hpkp_header = PublicKeyPins.new(config) set_header(hpkp_header) end |
#set_hsts_header(options = ) ⇒ Object
179 180 181 182 |
# File 'lib/secure_headers.rb', line 179 def set_hsts_header(=self.class.[:hsts]) return unless request.ssl? set_a_header(:hsts, StrictTransportSecurity, ) end |
#set_security_headers(options = self.class.secure_headers_options) ⇒ Object
105 106 107 108 109 110 111 112 113 114 |
# File 'lib/secure_headers.rb', line 105 def set_security_headers( = self.class.) set_csp_header(request, [:csp]) set_hsts_header([:hsts]) set_hpkp_header([:hpkp]) ([:x_frame_options]) set_x_xss_protection_header([:x_xss_protection]) ([:x_content_type_options]) ([:x_download_options]) set_x_permitted_cross_domain_policies_header([:x_permitted_cross_domain_policies]) end |
#set_x_content_type_options_header(options = ) ⇒ Object
171 172 173 |
# File 'lib/secure_headers.rb', line 171 def (=self.class.[:x_content_type_options]) set_a_header(:x_content_type_options, XContentTypeOptions, ) end |
#set_x_download_options_header(options = ) ⇒ Object
194 195 196 |
# File 'lib/secure_headers.rb', line 194 def (=self.class.[:x_download_options]) set_a_header(:x_download_options, XDownloadOptions, ) end |
#set_x_frame_options_header(options = ) ⇒ Object
167 168 169 |
# File 'lib/secure_headers.rb', line 167 def (=self.class.[:x_frame_options]) set_a_header(:x_frame_options, XFrameOptions, ) end |
#set_x_permitted_cross_domain_policies_header(options = ) ⇒ Object
198 199 200 |
# File 'lib/secure_headers.rb', line 198 def set_x_permitted_cross_domain_policies_header(=self.class.[:x_permitted_cross_domain_policies]) set_a_header(:x_permitted_cross_domain_policies, XPermittedCrossDomainPolicies, ) end |
#set_x_xss_protection_header(options = ) ⇒ Object
175 176 177 |
# File 'lib/secure_headers.rb', line 175 def set_x_xss_protection_header(=self.class.[:x_xss_protection]) set_a_header(:x_xss_protection, XXssProtection, ) end |