Module: SecureHeaders::InstanceMethods

Defined in:

lib/secure_headers.rb

Instance Method Summary

• #prep_script_hash ⇒ Object
• #save_hash_for_later(payload) ⇒ Object
• #set_csp_header(req = nil, config = nil) ⇒ Object

  set_csp_header - uses the request accessor and SecureHeader::Configuration settings set_csp_header(Rack::Request) - uses the parameter and and SecureHeader::Configuration settings set_csp_header(Hash) - uses the request accessor and options from parameters set_csp_header(Rack::Request, Hash).

• #set_hpkp_header(options = ) ⇒ Object
• #set_hsts_header(options = ) ⇒ Object
• #set_security_headers(options = self.class.secure_headers_options) ⇒ Object
• #set_x_content_type_options_header(options = ) ⇒ Object
• #set_x_download_options_header(options = ) ⇒ Object
• #set_x_frame_options_header(options = ) ⇒ Object
• #set_x_permitted_cross_domain_policies_header(options = ) ⇒ Object
• #set_x_xss_protection_header(options = ) ⇒ Object

Instance Method Details

#prep_script_hash ⇒ Object

# File 'lib/secure_headers.rb', line 96

def prep_script_hash
  if ::SecureHeaders::Configuration.script_hashes
    @script_hashes = ::SecureHeaders::Configuration.script_hashes.dup
    ActiveSupport::Notifications.subscribe("render_partial.action_view") do |event_name, start_at, end_at, id, payload|
      save_hash_for_later payload
    end

    ActiveSupport::Notifications.subscribe("render_template.action_view") do |event_name, start_at, end_at, id, payload|
      save_hash_for_later payload
    end
  end
end

#save_hash_for_later(payload) ⇒ Object

# File 'lib/secure_headers.rb', line 109

def save_hash_for_later payload
  matching_hashes = @script_hashes[payload[:identifier].gsub(Rails.root.to_s + "/", "")] || []

  if payload[:layout]
    # We're assuming an html.erb layout for now. Will need to handle mustache too, just not sure of the best way to do this
    layout_hashes = @script_hashes[File.join("app", "views", payload[:layout]) + '.html.erb']

    matching_hashes << layout_hashes if layout_hashes
  end

  if matching_hashes.any?
    request.env[HASHES_ENV_KEY] = ((request.env[HASHES_ENV_KEY] || []) << matching_hashes).flatten
  end
end

#set_csp_header(req = nil, config = nil) ⇒ Object

set_csp_header - uses the request accessor and SecureHeader::Configuration settings set_csp_header(Rack::Request) - uses the parameter and and SecureHeader::Configuration settings set_csp_header(Hash) - uses the request accessor and options from parameters set_csp_header(Rack::Request, Hash)

# File 'lib/secure_headers.rb', line 77

def set_csp_header(req = nil, config=nil)
  if req.is_a?(Hash) || req.is_a?(FalseClass)
    config = req
  end

  config = self.class.secure_headers_options[:csp] if config.nil?
  config = self.class.options_for :csp, config

  return if config == false

  if config && config[:script_hash_middleware]
    ContentSecurityPolicy.add_to_env(request, self, config)
  else
    csp_header = ContentSecurityPolicy.new(config, :request => request, :controller => self)
    set_header(csp_header)
  end
end

#set_hpkp_header(options = ) ⇒ Object

# File 'lib/secure_headers.rb', line 141

def set_hpkp_header(options=self.class.secure_headers_options[:hpkp])
  return unless request.ssl?
  config = self.class.options_for :hpkp, options

  return if config == false || config.nil?

  hpkp_header = PublicKeyPins.new(config)
  set_header(hpkp_header)
end

#set_hsts_header(options = ) ⇒ Object

# File 'lib/secure_headers.rb', line 136

def set_hsts_header(options=self.class.secure_headers_options[:hsts])
  return unless request.ssl?
  set_a_header(:hsts, StrictTransportSecurity, options)
end

#set_security_headers(options = self.class.secure_headers_options) ⇒ Object

# File 'lib/secure_headers.rb', line 62

def set_security_headers(options = self.class.secure_headers_options)
  set_csp_header(request, options[:csp])
  set_hsts_header(options[:hsts])
  set_hpkp_header(options[:hpkp])
  set_x_frame_options_header(options[:x_frame_options])
  set_x_xss_protection_header(options[:x_xss_protection])
  set_x_content_type_options_header(options[:x_content_type_options])
  set_x_download_options_header(options[:x_download_options])
  set_x_permitted_cross_domain_policies_header(options[:x_permitted_cross_domain_policies])
end

#set_x_content_type_options_header(options = ) ⇒ Object

# File 'lib/secure_headers.rb', line 128

def set_x_content_type_options_header(options=self.class.secure_headers_options[:x_content_type_options])
  set_a_header(:x_content_type_options, XContentTypeOptions, options)
end

#set_x_download_options_header(options = ) ⇒ Object

# File 'lib/secure_headers.rb', line 151

def set_x_download_options_header(options=self.class.secure_headers_options[:x_download_options])
  set_a_header(:x_download_options, XDownloadOptions, options)
end

#set_x_frame_options_header(options = ) ⇒ Object

# File 'lib/secure_headers.rb', line 124

def set_x_frame_options_header(options=self.class.secure_headers_options[:x_frame_options])
  set_a_header(:x_frame_options, XFrameOptions, options)
end

#set_x_permitted_cross_domain_policies_header(options = ) ⇒ Object

# File 'lib/secure_headers.rb', line 155

def set_x_permitted_cross_domain_policies_header(options=self.class.secure_headers_options[:x_permitted_cross_domain_policies])
  set_a_header(:x_permitted_cross_domain_policies, XPermittedCrossDomainPolicies, options)
end

#set_x_xss_protection_header(options = ) ⇒ Object

# File 'lib/secure_headers.rb', line 132

def set_x_xss_protection_header(options=self.class.secure_headers_options[:x_xss_protection])
  set_a_header(:x_xss_protection, XXssProtection, options)
end