2011-05-23 04:07:54 -04:00
|
|
|
You should use protection!
|
|
|
|
|
2011-06-19 09:06:08 -04:00
|
|
|
This gem protects against typical web attacks.
|
|
|
|
Should work for all Rack apps, including Rails.
|
|
|
|
|
2011-05-23 04:07:54 -04:00
|
|
|
# Usage
|
|
|
|
|
2011-06-19 09:06:08 -04:00
|
|
|
Use all protections you probably want to use:
|
|
|
|
|
2011-05-23 04:07:54 -04:00
|
|
|
``` ruby
|
|
|
|
# config.ru
|
|
|
|
require 'rack/protection'
|
|
|
|
use Rack::Protection
|
2011-06-19 09:06:08 -04:00
|
|
|
run MyApp
|
|
|
|
```
|
|
|
|
|
|
|
|
Skip a single protection middleware:
|
|
|
|
|
|
|
|
``` ruby
|
|
|
|
# config.ru
|
|
|
|
require 'rack/protection'
|
|
|
|
use Rack::Protection, :except => :path_traversal
|
|
|
|
run MyApp
|
2011-05-23 04:07:54 -04:00
|
|
|
```
|
|
|
|
|
2011-06-19 09:06:08 -04:00
|
|
|
Use a single protection middleware:
|
|
|
|
|
|
|
|
``` ruby
|
|
|
|
# config.ru
|
|
|
|
require 'rack/protection'
|
|
|
|
use Rack::Protection::AuthenticityToken
|
|
|
|
run MyApp
|
|
|
|
```
|
|
|
|
|
|
|
|
# Prevented Attacks
|
|
|
|
|
|
|
|
## Cross Site Request Forgery
|
|
|
|
|
|
|
|
Prevented by:
|
|
|
|
|
|
|
|
* `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection`)
|
|
|
|
* `Rack::Protection::FormToken` (not included by `use Rack::Protection`)
|
2011-06-19 09:26:39 -04:00
|
|
|
* `Rack::Protection::JsonCsrf`
|
2011-06-19 09:06:08 -04:00
|
|
|
* `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
|
|
|
|
* `Rack::Protection::RemoteToken`
|
2012-01-30 03:57:31 -05:00
|
|
|
* `Rack::Protection::HttpOrigin`
|
2011-06-20 10:25:32 -04:00
|
|
|
|
2011-06-19 09:06:08 -04:00
|
|
|
## Cross Site Scripting
|
|
|
|
|
|
|
|
Prevented by:
|
|
|
|
|
2012-05-13 09:35:28 -04:00
|
|
|
* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
|
2011-06-19 09:06:08 -04:00
|
|
|
* `Rack::Protection::XssHeader` (Internet Explorer only)
|
|
|
|
|
|
|
|
## Clickjacking
|
|
|
|
|
|
|
|
Prevented by:
|
|
|
|
|
|
|
|
* `Rack::Protection::FrameOptions`
|
|
|
|
|
|
|
|
## Directory Traversal
|
|
|
|
|
|
|
|
Prevented by:
|
|
|
|
|
|
|
|
* `Rack::Protection::PathTraversal`
|
|
|
|
|
|
|
|
## Session Hijacking
|
|
|
|
|
|
|
|
Prevented by:
|
|
|
|
|
|
|
|
* `Rack::Protection::SessionHijacking`
|
|
|
|
|
2011-06-20 03:16:03 -04:00
|
|
|
## IP Spoofing
|
|
|
|
|
|
|
|
Prevented by:
|
|
|
|
|
|
|
|
* `Rack::Protection::IPSpoofing`
|
|
|
|
|
2011-05-23 04:07:54 -04:00
|
|
|
# Installation
|
|
|
|
|
|
|
|
gem install rack-protection
|
2011-09-02 15:45:05 -04:00
|
|
|
|
|
|
|
# History
|
|
|
|
|
|
|
|
## v0.1.0 (2011/06/20)
|
|
|
|
|
|
|
|
First public release.
|
|
|
|
|
|
|
|
## v1.0.0 (2011/09/02)
|
|
|
|
|
|
|
|
First stable release.
|
|
|
|
|
|
|
|
Changes:
|
|
|
|
|
|
|
|
* Fix bug in JsonCsrf
|
2011-09-03 13:45:30 -04:00
|
|
|
|
2011-09-04 00:20:04 -04:00
|
|
|
## v1.1.0 (2011/09/03)
|
2011-09-03 13:45:30 -04:00
|
|
|
|
|
|
|
Second public release.
|
|
|
|
|
|
|
|
Changes:
|
|
|
|
|
|
|
|
* Dependency on `escape_utils` is now optional
|