2011-05-23 10:07:54 +02:00
|
|
|
require 'rack/protection/version'
|
|
|
|
|
require 'rack'
|
|
|
|
|
|
|
|
|
|
module Rack
|
|
|
|
|
module Protection
|
2014-02-21 11:50:44 +00:00
|
|
|
autoload :AuthenticityToken, 'rack/protection/authenticity_token'
|
|
|
|
|
autoload :Base, 'rack/protection/base'
|
|
|
|
|
autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
|
|
|
|
|
autoload :EscapedParams, 'rack/protection/escaped_params'
|
|
|
|
|
autoload :FormToken, 'rack/protection/form_token'
|
|
|
|
|
autoload :FrameOptions, 'rack/protection/frame_options'
|
|
|
|
|
autoload :HttpOrigin, 'rack/protection/http_origin'
|
|
|
|
|
autoload :IPSpoofing, 'rack/protection/ip_spoofing'
|
|
|
|
|
autoload :JsonCsrf, 'rack/protection/json_csrf'
|
|
|
|
|
autoload :PathTraversal, 'rack/protection/path_traversal'
|
|
|
|
|
autoload :RemoteReferrer, 'rack/protection/remote_referrer'
|
|
|
|
|
autoload :RemoteToken, 'rack/protection/remote_token'
|
|
|
|
|
autoload :SessionHijacking, 'rack/protection/session_hijacking'
|
2016-07-26 15:39:12 +09:00
|
|
|
autoload :StrictTransport, 'rack/protection/strict_transport'
|
2014-02-21 11:50:44 +00:00
|
|
|
autoload :XSSHeader, 'rack/protection/xss_header'
|
2011-05-23 10:07:54 +02:00
|
|
|
|
|
|
|
|
def self.new(app, options = {})
|
2011-06-20 13:08:39 +02:00
|
|
|
# does not include: RemoteReferrer, AuthenticityToken and FormToken
|
2011-05-23 10:07:54 +02:00
|
|
|
except = Array options[:except]
|
2013-01-21 18:16:28 +07:00
|
|
|
use_these = Array options[:use]
|
2016-07-26 17:37:38 +09:00
|
|
|
|
|
|
|
|
if options.fetch(:without_session, false)
|
|
|
|
|
except += [:session_hijacking, :remote_token]
|
|
|
|
|
end
|
|
|
|
|
|
2011-05-23 10:07:54 +02:00
|
|
|
Rack::Builder.new do
|
2014-02-21 11:50:44 +00:00
|
|
|
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
|
|
|
|
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
|
|
|
|
use ::Rack::Protection::FormToken, options if use_these.include? :form_token
|
2016-07-26 15:39:12 +09:00
|
|
|
use ::Rack::Protection::StrictTransport, options if use_these.include? :strict_transport
|
2014-02-21 12:45:13 +00:00
|
|
|
use ::Rack::Protection::ContentSecurityPolicy, options unless except.include? :content_security_policy
|
2014-02-21 11:50:44 +00:00
|
|
|
use ::Rack::Protection::FrameOptions, options unless except.include? :frame_options
|
|
|
|
|
use ::Rack::Protection::HttpOrigin, options unless except.include? :http_origin
|
|
|
|
|
use ::Rack::Protection::IPSpoofing, options unless except.include? :ip_spoofing
|
|
|
|
|
use ::Rack::Protection::JsonCsrf, options unless except.include? :json_csrf
|
|
|
|
|
use ::Rack::Protection::PathTraversal, options unless except.include? :path_traversal
|
|
|
|
|
use ::Rack::Protection::RemoteToken, options unless except.include? :remote_token
|
|
|
|
|
use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
|
|
|
|
|
use ::Rack::Protection::XSSHeader, options unless except.include? :xss_header
|
2011-05-23 10:07:54 +02:00
|
|
|
run app
|
|
|
|
|
end.to_app
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
