Module: Rack::Protection

Defined in:
lib/rack/protection.rb,
lib/rack/protection/base.rb,
lib/rack/protection/version.rb,
lib/rack/protection/json_csrf.rb,
lib/rack/protection/form_token.rb,
lib/rack/protection/xss_header.rb,
lib/rack/protection/http_origin.rb,
lib/rack/protection/ip_spoofing.rb,
lib/rack/protection/remote_token.rb,
lib/rack/protection/frame_options.rb,
lib/rack/protection/cookie_tossing.rb,
lib/rack/protection/escaped_params.rb,
lib/rack/protection/path_traversal.rb,
lib/rack/protection/remote_referrer.rb,
lib/rack/protection/strict_transport.rb,
lib/rack/protection/session_hijacking.rb,
lib/rack/protection/authenticity_token.rb,
lib/rack/protection/content_security_policy.rb

Defined Under Namespace

Classes: AuthenticityToken, Base, ContentSecurityPolicy, CookieTossing, EscapedParams, FormToken, FrameOptions, HttpOrigin, IPSpoofing, JsonCsrf, PathTraversal, RemoteReferrer, RemoteToken, SessionHijacking, StrictTransport, XSSHeader

Constant Summary collapse

VERSION = 
'2.0.2'

Class Method Summary collapse

Class Method Details

.new(app, options = {}) ⇒ Object 



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'lib/rack/protection.rb', line 23

def self.new(app, options = {})
  # does not include: RemoteReferrer, AuthenticityToken and FormToken
  except = Array options[:except]
  use_these = Array options[:use]

  if options.fetch(:without_session, false)
    except += [:session_hijacking, :remote_token]
  end

  Rack::Builder.new do
    # Off by default, unless added
    use ::Rack::Protection::AuthenticityToken,     options if use_these.include? :authenticity_token
    use ::Rack::Protection::CookieTossing,         options if use_these.include? :cookie_tossing
    use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
    use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
    use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
    use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport

    # On by default, unless skipped
    use ::Rack::Protection::FrameOptions,          options unless except.include? :frame_options
    use ::Rack::Protection::HttpOrigin,            options unless except.include? :http_origin
    use ::Rack::Protection::IPSpoofing,            options unless except.include? :ip_spoofing
    use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
    use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
    use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
    use ::Rack::Protection::SessionHijacking,      options unless except.include? :session_hijacking
    use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
    run app
  end.to_app
end