kotovalexarian-likes-github
/
sinatra
mirror of https://github.com/sinatra/sinatra
1
0
Fork 0
Code Releases Activity
sinatra/rack-protection
History
Zachary Scott 0b9a65864a Use single-quote string here 2017-05-07 08:17:00 +09:00
..
lib Use single-quote string here 2017-05-07 08:17:00 +09:00
spec Merge pull request #1265 from jkowens/fix-1260 2017-03-13 13:09:36 +09:00
.gitignore [issue-1275] add rake task to generate docs, similar to sinatra-contrib 2017-04-09 12:30:24 +05:30
.rspec Restore RSpec init default files 2014-09-03 19:25:20 +02:00
.travis.yml I guess rvm started failing the build once sudo was enabled 2016-07-25 17:35:59 +09:00
Gemfile Test vendor'd gems using local paths instead of git 2016-08-17 19:33:45 +09:00
License Update LICENSE(s) 2017-03-19 12:05:31 +09:00
README.md Add cookie tossing protection 2016-07-30 19:04:44 -04:00
Rakefile [issue-1275] add rake task to generate docs, similar to sinatra-contrib 2017-04-09 12:30:24 +05:30
rack-protection.gemspec [issue-1274] add VERSION file which contains version for all gems 2017-04-09 11:51:21 +05:30

README.md

Rack::Protection

Build Status

This gem protects against typical web attacks. Should work for all Rack apps, including Rails.

Usage

Use all protections you probably want to use:

# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp

Skip a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp

Use a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp

Prevented Attacks

Cross Site Request Forgery

Prevented by:

  • Rack::Protection::AuthenticityToken (not included by use Rack::Protection)
  • Rack::Protection::FormToken (not included by use Rack::Protection)
  • Rack::Protection::JsonCsrf
  • Rack::Protection::RemoteReferrer (not included by use Rack::Protection)
  • Rack::Protection::RemoteToken
  • Rack::Protection::HttpOrigin

Cross Site Scripting

Prevented by:

  • Rack::Protection::EscapedParams (not included by use Rack::Protection)
  • Rack::Protection::XSSHeader (Internet Explorer and Chrome only)
  • Rack::Protection::ContentSecurityPolicy

Clickjacking

Prevented by:

  • Rack::Protection::FrameOptions

Directory Traversal

Prevented by:

  • Rack::Protection::PathTraversal

Session Hijacking

Prevented by:

  • Rack::Protection::SessionHijacking

Cookie Tossing

Prevented by:

  • Rack::Protection::CookieTossing (not included by use Rack::Protection)

IP Spoofing

Prevented by:

  • Rack::Protection::IPSpoofing

Helps to protect against protocol downgrade attacks and cookie hijacking

Prevented by:

  • Rack::Protection::StrictTransport (not included by use Rack::Protection)

Installation

gem install rack-protection

Instrumentation

Instrumentation is enabled by passing in an instrumenter as an option.

use Rack::Protection, instrumenter: ActiveSupport::Notifications

The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.