rack-secure_headers Build Status

Security related HTTP headers for Rack applications.

Description

Implements OWASP's List of useful HTTP headers.

Installation

Add this line to your application's Gemfile:

gem "rack-secure_headers"

And then execute:

$ bundle

Or install it yourself as:

$ gem install rack-secure_headers

Usage

# config.ru
require "rack/secure_headers"

use(Rack::SecureHeaders, options)

Options

This is a list of the supported options included by default. To disable any default, pass nil (e.g. option: nil).

Option Header Default
:hsts Strict-Transport-Security { max_age: "31536000", include_subdomains: true }
:x_content_type_options X-Content-Type-Options "nosniff"
:x_frame_options X-Frame-Options "SAMEORIGIN"
:x_permited_cross_domain X-Permitted-Cross-Domain-Policies "none"
:x_xss_protection X-XSS-Protection "1; mode=block"

Headers

This is a list of the supported HTTP headers:

  • Strict-Transport-Security:

Ensures the browser never visits the http version of a website. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. Supported options:

  • :max_age: The time, in seconds, that the browser should remember that the site is only to be accessed using HTTPS. Defaults to 1 year.
  • :includeSubdomains: If this is true, this rule is applied to all of the site's subdomains as well. Defaults to true.
  • :preload: A limitation of HSTS is that the initial request remains unprotected if it uses HTTP. The same applies to the first request after the activity period specified by max-age. Chrome, Firefox and IE11+ implements a "STS preloaded list", which contains known sites supporting HSTS. If you would like your domain to be included in the preloaded list, set this options to true and submit your domain to this form.

    • X-Content-Type-Options:

Prevents IE and Chrome from content type sniffing.

  • X-Frame-Options (XFO):

Provides Clickjacking protection. Supported values:

  • DENY - Prevents any domain from framing the content.
  • SAMEORIGIN - Only allows current site to frame the content.
  • ALLOW-FROM URI - Allows the specified URI to frame the content (only IE8+ and Firefox).

Check the X-Frame-Options draft for more information.

  • X-Permitted-Cross-Domain-Policies:

Restrict Adobe Flash Player's access to data. Check this article for more information.

  • X-XSS-Protection:

Enables the XSS protection filter built into IE, Chrome and Safari. Supported values are 0, which disables the protection, 1 which enables it and 1; mode=block (default) which tells the browser to block the response if it detects an attack. This filter is usually enabled by default, the use of this header is to re-enable it if it was disabled by the user.

Use https://securityheaders.io to asses the security related HTTP headers used by your site.

TODO

  • [ ] HTTP Public Key Pinning (HPKP).
  • [ ] Content Security Policy (CSP).

Contributing

Fork the project with:

$ git clone [email protected]:frodsan/rack-secure_headers.git

To install dependencies, use:

$ bundle install

To run the test suite, do:

$ rake test

For bug reports and pull requests use GitHub.

License

This gem is released under the MIT License.