2016-07-25 00:23:53 -04:00
# Rack::Protection
[![Build Status ](https://secure.travis-ci.org/sinatra/rack-protection.png )](http://travis-ci.org/sinatra/rack-protection)
2011-06-19 09:06:08 -04:00
This gem protects against typical web attacks.
Should work for all Rack apps, including Rails.
2011-05-23 04:07:54 -04:00
# Usage
2011-06-19 09:06:08 -04:00
Use all protections you probably want to use:
2011-05-23 04:07:54 -04:00
``` ruby
# config.ru
require 'rack/protection'
use Rack::Protection
2011-06-19 09:06:08 -04:00
run MyApp
```
Skip a single protection middleware:
``` ruby
# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp
2011-05-23 04:07:54 -04:00
```
2011-06-19 09:06:08 -04:00
Use a single protection middleware:
``` ruby
# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp
```
# Prevented Attacks
## Cross Site Request Forgery
Prevented by:
* `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection` )
* `Rack::Protection::FormToken` (not included by `use Rack::Protection` )
2011-06-19 09:26:39 -04:00
* `Rack::Protection::JsonCsrf`
2011-06-19 09:06:08 -04:00
* `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection` )
* `Rack::Protection::RemoteToken`
2012-01-30 03:57:31 -05:00
* `Rack::Protection::HttpOrigin`
2011-06-20 10:25:32 -04:00
2011-06-19 09:06:08 -04:00
## Cross Site Scripting
Prevented by:
2012-05-13 09:35:28 -04:00
* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection` )
2012-12-12 17:40:22 -05:00
* `Rack::Protection::XSSHeader` (Internet Explorer only)
2014-02-21 06:50:44 -05:00
* `Rack::Protection::ContentSecurityPolicy`
2011-06-19 09:06:08 -04:00
## Clickjacking
Prevented by:
* `Rack::Protection::FrameOptions`
## Directory Traversal
Prevented by:
* `Rack::Protection::PathTraversal`
## Session Hijacking
Prevented by:
* `Rack::Protection::SessionHijacking`
2011-06-20 03:16:03 -04:00
## IP Spoofing
Prevented by:
* `Rack::Protection::IPSpoofing`
2011-05-23 04:07:54 -04:00
# Installation
gem install rack-protection
2011-09-02 15:45:05 -04:00
2013-08-21 14:50:51 -04:00
# Instrumentation
Instrumentation is enabled by passing in an instrumenter as an option.
```
use Rack::Protection, instrumenter: ActiveSupport::Notifications
```
The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.