Module: SecureHeaders::InstanceMethods

Defined in:

lib/secure_headers.rb

Instance Method Summary

• #set_csp_header(req = nil, options = nil) ⇒ Object

  backwards compatibility jank, to be removed in 1.0.

• #set_hsts_header(options = self.class.secure_headers_options[:hsts]) ⇒ Object
• #set_security_headers(options = self.class.secure_headers_options) ⇒ Object

  Re-added for backwards compat.

• #set_x_content_type_options_header(options = self.class.secure_headers_options[:x_content_type_options]) ⇒ Object
• #set_x_frame_options_header(options = self.class.secure_headers_options[:x_frame_options]) ⇒ Object
• #set_x_xss_protection_header(options = self.class.secure_headers_options[:x_xss_protection]) ⇒ Object

Instance Method Details

#set_csp_header(req = nil, options = nil) ⇒ Object

backwards compatibility jank, to be removed in 1.0. Old API required a request object when it didn’t really need to. set_csp_header - uses the request accessor and SecureHeader::Configuration settings set_csp_header(Rack::Request) - uses the parameter and and SecureHeader::Configuration settings set_csp_header(Hash) - uses the request accessor and options from parameters set_csp_header(Rack::Request, Hash)

# File 'lib/secure_headers.rb', line 66

def set_csp_header(req = nil, options=nil)
  # hack to help generating headers statically
  if req.is_a?(Hash)
    options = req
  end

  options = self.class.secure_headers_options[:csp] if options.nil?
  options = self.class.options_for :csp, options

  return if options == false

  csp_header = ContentSecurityPolicy.new(options, :request => request, :controller => self)
  set_header(csp_header)
  if options && options[:experimental] && options[:enforce]
    experimental_header = ContentSecurityPolicy.new(options, :experimental => true, :request => request, :controller => self)
    set_header(experimental_header)
  end
end

#set_hsts_header(options = self.class.secure_headers_options[:hsts]) ⇒ Object

# File 'lib/secure_headers.rb', line 97

def set_hsts_header(options=self.class.secure_headers_options[:hsts])
  return unless request.ssl?
  set_a_header(:hsts, StrictTransportSecurity, options)
end

#set_security_headers(options = self.class.secure_headers_options) ⇒ Object

Re-added for backwards compat.

# File 'lib/secure_headers.rb', line 52

def set_security_headers(options = self.class.secure_headers_options)
  set_csp_header(request, options[:csp])
  set_hsts_header(options[:hsts])
  set_x_frame_options_header(options[:x_frame_options])
  set_x_xss_protection_header(options[:x_xss_protection])
  set_x_content_type_options_header(options[:x_content_type_options])
end

#set_x_content_type_options_header(options = self.class.secure_headers_options[:x_content_type_options]) ⇒ Object

# File 'lib/secure_headers.rb', line 89

def set_x_content_type_options_header(options=self.class.secure_headers_options[:x_content_type_options])
  set_a_header(:x_content_type_options, XContentTypeOptions, options)
end

#set_x_frame_options_header(options = self.class.secure_headers_options[:x_frame_options]) ⇒ Object

# File 'lib/secure_headers.rb', line 85

def set_x_frame_options_header(options=self.class.secure_headers_options[:x_frame_options])
  set_a_header(:x_frame_options, XFrameOptions, options)
end

#set_x_xss_protection_header(options = self.class.secure_headers_options[:x_xss_protection]) ⇒ Object

# File 'lib/secure_headers.rb', line 93

def set_x_xss_protection_header(options=self.class.secure_headers_options[:x_xss_protection])
  set_a_header(:x_xss_protection, XXssProtection, options)
end