sinatra/rack-protection/README.md

# Rack::Protection

[![Build Status](https://secure.travis-ci.org/sinatra/rack-protection.png)](http://travis-ci.org/sinatra/rack-protection)

This gem protects against typical web attacks.
Should work for all Rack apps, including Rails.

# Usage

Use all protections you probably want to use:

``` ruby
# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp
```

Skip a single protection middleware:

``` ruby
# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp
```

Use a single protection middleware:

``` ruby
# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp
```

# Prevented Attacks

## Cross Site Request Forgery

Prevented by:

* `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection`)
* `Rack::Protection::FormToken` (not included by `use Rack::Protection`)
* `Rack::Protection::JsonCsrf`
* `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
* `Rack::Protection::RemoteToken`
* `Rack::Protection::HttpOrigin`

## Cross Site Scripting

Prevented by:

* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
* `Rack::Protection::XSSHeader` (Internet Explorer and Chrome only)
* `Rack::Protection::ContentSecurityPolicy`

## Clickjacking

Prevented by:

* `Rack::Protection::FrameOptions`

## Directory Traversal

Prevented by:

* `Rack::Protection::PathTraversal`

## Session Hijacking

Prevented by:

* `Rack::Protection::SessionHijacking`

## IP Spoofing

Prevented by:

* `Rack::Protection::IPSpoofing`

## Helps to protect against protocol downgrade attacks and cookie hijacking

Prevented by:

* `Rack::Protection::StrictTransport` (not included by `use Rack::Protection`)

# Installation

    gem install rack-protection

# Instrumentation

Instrumentation is enabled by passing in an instrumenter as an option.
```
use Rack::Protection, instrumenter: ActiveSupport::Notifications
```

The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.
Add build status image to README 2016-07-25 04:23:53 +00:00			`# Rack::Protection`

			`[![Build Status](https://secure.travis-ci.org/sinatra/rack-protection.png)](http://travis-ci.org/sinatra/rack-protection)`

update readme 2011-06-19 13:06:08 +00:00			`This gem protects against typical web attacks.`
			`Should work for all Rack apps, including Rails.`

initial commit 2011-05-23 08:07:54 +00:00			`# Usage`

update readme 2011-06-19 13:06:08 +00:00			`Use all protections you probably want to use:`

initial commit 2011-05-23 08:07:54 +00:00			``` ruby
			`# config.ru`
			`require 'rack/protection'`
			`use Rack::Protection`
update readme 2011-06-19 13:06:08 +00:00			`run MyApp`
			```

			`Skip a single protection middleware:`

			``` ruby
			`# config.ru`
			`require 'rack/protection'`
			`use Rack::Protection, :except => :path_traversal`
			`run MyApp`
initial commit 2011-05-23 08:07:54 +00:00			```

update readme 2011-06-19 13:06:08 +00:00			`Use a single protection middleware:`

			``` ruby
			`# config.ru`
			`require 'rack/protection'`
			`use Rack::Protection::AuthenticityToken`
			`run MyApp`
			```

			`# Prevented Attacks`

			`## Cross Site Request Forgery`

			`Prevented by:`

			* `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection`)
			* `Rack::Protection::FormToken` (not included by `use Rack::Protection`)
add JSON CSRF protection 2011-06-19 13:26:39 +00:00			* `Rack::Protection::JsonCsrf`
update readme 2011-06-19 13:06:08 +00:00			* `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
			* `Rack::Protection::RemoteToken`
Updated README 2012-01-30 08:57:31 +00:00			* `Rack::Protection::HttpOrigin`
fix markup 2011-06-20 14:25:32 +00:00
update readme 2011-06-19 13:06:08 +00:00			`## Cross Site Scripting`

			`Prevented by:`

Reflect fix issue #8 by ae9c33001f6ac8e3955a76e0d11c647a3081fc58 into README.md 2012-05-13 13:35:28 +00:00			* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
Document Chrome is also supported by XSSHeader [ci skip] Closes #48 2016-07-28 04:36:52 +00:00			* `Rack::Protection::XSSHeader` (Internet Explorer and Chrome only)
added content security policies 2014-02-21 11:50:44 +00:00			* `Rack::Protection::ContentSecurityPolicy`
update readme 2011-06-19 13:06:08 +00:00
			`## Clickjacking`

			`Prevented by:`

			* `Rack::Protection::FrameOptions`

			`## Directory Traversal`

			`Prevented by:`

			* `Rack::Protection::PathTraversal`

			`## Session Hijacking`

			`Prevented by:`

			* `Rack::Protection::SessionHijacking`

add IP spoofing protection 2011-06-20 07:16:03 +00:00			`## IP Spoofing`

			`Prevented by:`

			* `Rack::Protection::IPSpoofing`

Add Strict Transport Security protection 2016-01-18 11:40:35 +00:00			`## Helps to protect against protocol downgrade attacks and cookie hijacking`

			`Prevented by:`

			* `Rack::Protection::StrictTransport` (not included by `use Rack::Protection`)

initial commit 2011-05-23 08:07:54 +00:00			`# Installation`

			`gem install rack-protection`
1.0 release 2011-09-02 19:45:05 +00:00
Add instrumentation support 2013-08-21 18:50:51 +00:00			`# Instrumentation`

			`Instrumentation is enabled by passing in an instrumenter as an option.`
			```
			`use Rack::Protection, instrumenter: ActiveSupport::Notifications`
			```

			`The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.`