Module: SecureHeaders::InstanceMethods
- Defined in:
- lib/secure_headers.rb
Instance Method Summary collapse
- #prep_script_hash ⇒ Object
- #save_hash_for_later(payload) ⇒ Object
-
#set_csp_header(req = nil, config = nil) ⇒ Object
set_csp_header - uses the request accessor and SecureHeader::Configuration settings set_csp_header(
Rack::Request
) - uses the parameter and and SecureHeader::Configuration settings set_csp_header(Hash
) - uses the request accessor and options from parameters set_csp_header(Rack::Request
,Hash
). - #set_hpkp_header(options = ) ⇒ Object
- #set_hsts_header(options = ) ⇒ Object
- #set_security_headers(options = self.class.secure_headers_options) ⇒ Object
- #set_x_content_type_options_header(options = ) ⇒ Object
- #set_x_download_options_header(options = ) ⇒ Object
- #set_x_frame_options_header(options = ) ⇒ Object
- #set_x_permitted_cross_domain_policies_header(options = ) ⇒ Object
- #set_x_xss_protection_header(options = ) ⇒ Object
Instance Method Details
#prep_script_hash ⇒ Object
96 97 98 99 100 101 102 103 104 105 106 107 |
# File 'lib/secure_headers.rb', line 96 def prep_script_hash if ::SecureHeaders::Configuration.script_hashes @script_hashes = ::SecureHeaders::Configuration.script_hashes.dup ActiveSupport::Notifications.subscribe("render_partial.action_view") do |event_name, start_at, end_at, id, payload| save_hash_for_later payload end ActiveSupport::Notifications.subscribe("render_template.action_view") do |event_name, start_at, end_at, id, payload| save_hash_for_later payload end end end |
#save_hash_for_later(payload) ⇒ Object
109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
# File 'lib/secure_headers.rb', line 109 def save_hash_for_later payload matching_hashes = @script_hashes[payload[:identifier].gsub(Rails.root.to_s + "/", "")] || [] if payload[:layout] # We're assuming an html.erb layout for now. Will need to handle mustache too, just not sure of the best way to do this layout_hashes = @script_hashes[File.join("app", "views", payload[:layout]) + '.html.erb'] matching_hashes << layout_hashes if layout_hashes end if matching_hashes.any? request.env[HASHES_ENV_KEY] = ((request.env[HASHES_ENV_KEY] || []) << matching_hashes).flatten end end |
#set_csp_header(req = nil, config = nil) ⇒ Object
set_csp_header - uses the request accessor and SecureHeader::Configuration settings set_csp_header(Rack::Request
) - uses the parameter and and SecureHeader::Configuration settings set_csp_header(Hash
) - uses the request accessor and options from parameters set_csp_header(Rack::Request
, Hash
)
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
# File 'lib/secure_headers.rb', line 77 def set_csp_header(req = nil, config=nil) if req.is_a?(Hash) || req.is_a?(FalseClass) config = req end config = self.class.[:csp] if config.nil? config = self.class. :csp, config return if config == false if config && config[:script_hash_middleware] ContentSecurityPolicy.add_to_env(request, self, config) else csp_header = ContentSecurityPolicy.new(config, :request => request, :controller => self) set_header(csp_header) end end |
#set_hpkp_header(options = ) ⇒ Object
141 142 143 144 145 146 147 148 149 |
# File 'lib/secure_headers.rb', line 141 def set_hpkp_header(=self.class.[:hpkp]) return unless request.ssl? config = self.class. :hpkp, return if config == false || config.nil? hpkp_header = PublicKeyPins.new(config) set_header(hpkp_header) end |
#set_hsts_header(options = ) ⇒ Object
136 137 138 139 |
# File 'lib/secure_headers.rb', line 136 def set_hsts_header(=self.class.[:hsts]) return unless request.ssl? set_a_header(:hsts, StrictTransportSecurity, ) end |
#set_security_headers(options = self.class.secure_headers_options) ⇒ Object
62 63 64 65 66 67 68 69 70 71 |
# File 'lib/secure_headers.rb', line 62 def set_security_headers( = self.class.) set_csp_header(request, [:csp]) set_hsts_header([:hsts]) set_hpkp_header([:hpkp]) ([:x_frame_options]) set_x_xss_protection_header([:x_xss_protection]) ([:x_content_type_options]) ([:x_download_options]) set_x_permitted_cross_domain_policies_header([:x_permitted_cross_domain_policies]) end |
#set_x_content_type_options_header(options = ) ⇒ Object
128 129 130 |
# File 'lib/secure_headers.rb', line 128 def (=self.class.[:x_content_type_options]) set_a_header(:x_content_type_options, XContentTypeOptions, ) end |
#set_x_download_options_header(options = ) ⇒ Object
151 152 153 |
# File 'lib/secure_headers.rb', line 151 def (=self.class.[:x_download_options]) set_a_header(:x_download_options, XDownloadOptions, ) end |
#set_x_frame_options_header(options = ) ⇒ Object
124 125 126 |
# File 'lib/secure_headers.rb', line 124 def (=self.class.[:x_frame_options]) set_a_header(:x_frame_options, XFrameOptions, ) end |
#set_x_permitted_cross_domain_policies_header(options = ) ⇒ Object
155 156 157 |
# File 'lib/secure_headers.rb', line 155 def set_x_permitted_cross_domain_policies_header(=self.class.[:x_permitted_cross_domain_policies]) set_a_header(:x_permitted_cross_domain_policies, XPermittedCrossDomainPolicies, ) end |
#set_x_xss_protection_header(options = ) ⇒ Object
132 133 134 |
# File 'lib/secure_headers.rb', line 132 def set_x_xss_protection_header(=self.class.[:x_xss_protection]) set_a_header(:x_xss_protection, XXssProtection, ) end |