mirror of
https://github.com/sinatra/sinatra
synced 2023-03-27 23:18:01 -04:00
Merge branch 'master' of https://github.com/reevoo/rack-protection into reevoo-master
This commit is contained in:
commit
21edcf1b3a
4 changed files with 70 additions and 0 deletions
|
@ -79,6 +79,12 @@ Prevented by:
|
|||
|
||||
* `Rack::Protection::IPSpoofing`
|
||||
|
||||
## Helps to protect against protocol downgrade attacks and cookie hijacking
|
||||
|
||||
Prevented by:
|
||||
|
||||
* `Rack::Protection::StrictTransport` (not included by `use Rack::Protection`)
|
||||
|
||||
# Installation
|
||||
|
||||
gem install rack-protection
|
||||
|
|
|
@ -16,6 +16,7 @@ module Rack
|
|||
autoload :RemoteReferrer, 'rack/protection/remote_referrer'
|
||||
autoload :RemoteToken, 'rack/protection/remote_token'
|
||||
autoload :SessionHijacking, 'rack/protection/session_hijacking'
|
||||
autoload :StrictTransport, 'rack/protection/strict_transport'
|
||||
autoload :XSSHeader, 'rack/protection/xss_header'
|
||||
|
||||
def self.new(app, options = {})
|
||||
|
@ -26,6 +27,7 @@ module Rack
|
|||
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
||||
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
||||
use ::Rack::Protection::FormToken, options if use_these.include? :form_token
|
||||
use ::Rack::Protection::StrictTransport, options if use_these.include? :strict_transport
|
||||
use ::Rack::Protection::ContentSecurityPolicy, options unless except.include? :content_security_policy
|
||||
use ::Rack::Protection::FrameOptions, options unless except.include? :frame_options
|
||||
use ::Rack::Protection::HttpOrigin, options unless except.include? :http_origin
|
||||
|
|
37
rack-protection/lib/rack/protection/strict_transport.rb
Normal file
37
rack-protection/lib/rack/protection/strict_transport.rb
Normal file
|
@ -0,0 +1,37 @@
|
|||
require 'rack/protection'
|
||||
|
||||
module Rack
|
||||
module Protection
|
||||
##
|
||||
# Prevented attack:: Protects against against protocol downgrade attacks and cookie hijacking.
|
||||
# Supported browsers:: all
|
||||
# More infos:: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
||||
#
|
||||
# browser will prevent any communications from being sent over HTTP
|
||||
# to the specified domain and will instead send all communications over HTTPS.
|
||||
# It also prevents HTTPS click through prompts on browsers.
|
||||
#
|
||||
# Options:
|
||||
#
|
||||
# max_age:: How long future requests to the domain should go over HTTPS; specified in seconds
|
||||
# include_subdomains:: If all present and future subdomains will be HTTPS
|
||||
|
||||
class StrictTransport < Base
|
||||
default_options :max_age => 31_536_000, :include_subdomains => false
|
||||
|
||||
def strict_transport
|
||||
@strict_transport ||= begin
|
||||
strict_transport = 'max-age=' + options[:max_age].to_s
|
||||
strict_transport += '; includeSubDomains' if options[:include_subdomains]
|
||||
strict_transport.to_str
|
||||
end
|
||||
end
|
||||
|
||||
def call(env)
|
||||
status, headers, body = @app.call(env)
|
||||
headers['Strict-Transport-Security'] ||= strict_transport
|
||||
[status, headers, body]
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,25 @@
|
|||
describe Rack::Protection::StrictTransport do
|
||||
it_behaves_like "any rack application"
|
||||
|
||||
it 'should set the Strict-Transport-Security header' do
|
||||
expect(get('/', {}, 'wants' => 'text/html').headers["Strict-Transport-Security"]).to eq("max-age=31536000")
|
||||
end
|
||||
|
||||
it 'should allow changing the max-age option' do
|
||||
mock_app do
|
||||
use Rack::Protection::StrictTransport, :max_age => 16_070_400
|
||||
run DummyApp
|
||||
end
|
||||
|
||||
expect(get('/', {}, 'wants' => 'text/html').headers["Strict-Transport-Security"]).to eq("max-age=16070400")
|
||||
end
|
||||
|
||||
it 'should allow switching on the include_subdomains option' do
|
||||
mock_app do
|
||||
use Rack::Protection::StrictTransport, :include_subdomains => true
|
||||
run DummyApp
|
||||
end
|
||||
|
||||
expect(get('/', {}, 'wants' => 'text/html').headers["Strict-Transport-Security"]).to eq("max-age=31536000; includeSubDomains")
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue