Module: Rack::Protection
- Defined in:
- lib/rack/protection.rb,
lib/rack/protection/base.rb,
lib/rack/protection/version.rb,
lib/rack/protection/json_csrf.rb,
lib/rack/protection/form_token.rb,
lib/rack/protection/xss_header.rb,
lib/rack/protection/http_origin.rb,
lib/rack/protection/ip_spoofing.rb,
lib/rack/protection/remote_token.rb,
lib/rack/protection/frame_options.rb,
lib/rack/protection/cookie_tossing.rb,
lib/rack/protection/escaped_params.rb,
lib/rack/protection/path_traversal.rb,
lib/rack/protection/remote_referrer.rb,
lib/rack/protection/strict_transport.rb,
lib/rack/protection/session_hijacking.rb,
lib/rack/protection/authenticity_token.rb,
lib/rack/protection/content_security_policy.rb
Defined Under Namespace
Classes: AuthenticityToken, Base, ContentSecurityPolicy, CookieTossing, EscapedParams, FormToken, FrameOptions, HttpOrigin, IPSpoofing, JsonCsrf, PathTraversal, RemoteReferrer, RemoteToken, SessionHijacking, StrictTransport, XSSHeader
Constant Summary collapse
- VERSION =
'2.0.2'
Class Method Summary collapse
Class Method Details
.new(app, options = {}) ⇒ Object
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
# File 'lib/rack/protection.rb', line 23 def self.new(app, = {}) # does not include: RemoteReferrer, AuthenticityToken and FormToken except = Array [:except] use_these = Array [:use] if .fetch(:without_session, false) except += [:session_hijacking, :remote_token] end Rack::Builder.new do # Off by default, unless added use ::Rack::Protection::AuthenticityToken, if use_these.include? :authenticity_token use ::Rack::Protection::CookieTossing, if use_these.include? :cookie_tossing use ::Rack::Protection::ContentSecurityPolicy, if use_these.include? :content_security_policy use ::Rack::Protection::FormToken, if use_these.include? :form_token use ::Rack::Protection::RemoteReferrer, if use_these.include? :remote_referrer use ::Rack::Protection::StrictTransport, if use_these.include? :strict_transport # On by default, unless skipped use ::Rack::Protection::FrameOptions, unless except.include? :frame_options use ::Rack::Protection::HttpOrigin, unless except.include? :http_origin use ::Rack::Protection::IPSpoofing, unless except.include? :ip_spoofing use ::Rack::Protection::JsonCsrf, unless except.include? :json_csrf use ::Rack::Protection::PathTraversal, unless except.include? :path_traversal use ::Rack::Protection::RemoteToken, unless except.include? :remote_token use ::Rack::Protection::SessionHijacking, unless except.include? :session_hijacking use ::Rack::Protection::XSSHeader, unless except.include? :xss_header run app end.to_app end |