2016-07-25 00:23:53 -04:00
# Rack::Protection
2011-06-19 09:06:08 -04:00
This gem protects against typical web attacks.
Should work for all Rack apps, including Rails.
2011-05-23 04:07:54 -04:00
# Usage
2011-06-19 09:06:08 -04:00
Use all protections you probably want to use:
2011-05-23 04:07:54 -04:00
``` ruby
# config.ru
require 'rack/protection'
use Rack::Protection
2011-06-19 09:06:08 -04:00
run MyApp
```
Skip a single protection middleware:
``` ruby
# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp
2011-05-23 04:07:54 -04:00
```
2011-06-19 09:06:08 -04:00
Use a single protection middleware:
``` ruby
# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp
```
# Prevented Attacks
## Cross Site Request Forgery
Prevented by:
2017-05-15 20:40:26 -04:00
* [`Rack::Protection::AuthenticityToken`][authenticity-token] (not included by `use Rack::Protection` )
* [`Rack::Protection::FormToken`][form-token] (not included by `use Rack::Protection` )
* [`Rack::Protection::JsonCsrf`][json-csrf]
* [`Rack::Protection::RemoteReferrer`][remote-referrer] (not included by `use Rack::Protection` )
* [`Rack::Protection::RemoteToken`][remote-token]
* [`Rack::Protection::HttpOrigin`][http-origin]
2011-06-20 10:25:32 -04:00
2011-06-19 09:06:08 -04:00
## Cross Site Scripting
Prevented by:
2017-05-15 20:40:26 -04:00
* [`Rack::Protection::EscapedParams`][escaped-params] (not included by `use Rack::Protection` )
* [`Rack::Protection::XSSHeader`][xss-header] (Internet Explorer and Chrome only)
* [`Rack::Protection::ContentSecurityPolicy`][content-security-policy]
2011-06-19 09:06:08 -04:00
## Clickjacking
Prevented by:
2017-05-15 20:40:26 -04:00
* [`Rack::Protection::FrameOptions`][frame-options]
2011-06-19 09:06:08 -04:00
## Directory Traversal
Prevented by:
2017-05-15 20:40:26 -04:00
* [`Rack::Protection::PathTraversal`][path-traversal]
2011-06-19 09:06:08 -04:00
## Session Hijacking
Prevented by:
2017-05-15 20:40:26 -04:00
* [`Rack::Protection::SessionHijacking`][session-hijacking]
2011-06-19 09:06:08 -04:00
2016-07-30 18:22:59 -04:00
## Cookie Tossing
Prevented by:
2017-05-15 20:40:26 -04:00
* [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection` )
2016-07-30 18:22:59 -04:00
2011-06-20 03:16:03 -04:00
## IP Spoofing
Prevented by:
2017-05-15 20:40:26 -04:00
* [`Rack::Protection::IPSpoofing`][ip-spoofing]
2011-06-20 03:16:03 -04:00
2016-01-18 06:40:35 -05:00
## Helps to protect against protocol downgrade attacks and cookie hijacking
Prevented by:
2017-05-15 20:40:26 -04:00
* [`Rack::Protection::StrictTransport`][strict-transport] (not included by `use Rack::Protection` )
2016-01-18 06:40:35 -05:00
2011-05-23 04:07:54 -04:00
# Installation
gem install rack-protection
2011-09-02 15:45:05 -04:00
2013-08-21 14:50:51 -04:00
# Instrumentation
Instrumentation is enabled by passing in an instrumenter as an option.
```
use Rack::Protection, instrumenter: ActiveSupport::Notifications
```
The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.
2017-05-15 20:40:26 -04:00
2017-05-23 20:48:41 -04:00
[authenticity-token]: http://www.sinatrarb.com/protection/authenticity_token
[content-security-policy]: http://www.sinatrarb.com/protection/content_security_policy
[cookie-tossing]: http://www.sinatrarb.com/protection/cookie_tossing
[escaped-params]: http://www.sinatrarb.com/protection/escaped_params
[form-token]: http://www.sinatrarb.com/protection/form_token
[frame-options]: http://www.sinatrarb.com/protection/frame_options
[http-origin]: http://www.sinatrarb.com/protection/http_origin
[ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
[json-csrf]: http://www.sinatrarb.com/protection/json_csrf
[path-traversal]: http://www.sinatrarb.com/protection/path_traversal
[remote-referrer]: http://www.sinatrarb.com/protection/remote_referrer
[remote-token]: http://www.sinatrarb.com/protection/remote_token
[session-hijacking]: http://www.sinatrarb.com/protection/session_hijacking
[strict-transport]: http://www.sinatrarb.com/protection/strict_transport
[xss-header]: http://www.sinatrarb.com/protection/xss_header