kotovalexarian-likes-github
/
sinatra
mirror of https://github.com/sinatra/sinatra
1
0
Fork 0
Code Releases Activity
sinatra/rack-protection
History
Maurizio De Santis 16636ae9b4 Convert specs to RSpec 2.99.2 syntax with Transpec 
This conversion is done by Transpec 2.3.7 with the following command:
    transpec

* 69 conversions
    from: obj.should
      to: expect(obj).to

* 30 conversions
    from: == expected
      to: eq(expected)

* 24 conversions
    from: obj.should_not
      to: expect(obj).not_to

* 3 conversions
    from: it { should ... }
      to: it { is_expected.to ... }

* 2 conversions
    from: be_false
      to: be_falsey

* 1 conversion
    from: be_true
      to: be_truthy

* 1 conversion
    from: obj.should_not_receive(:message)
      to: expect(obj).not_to receive(:message)

* 1 conversion
    from: obj.should_receive(:message)
      to: expect(obj).to receive(:message)

For more details: https://github.com/yujinakayama/transpec#supported-conversions
 		2014-09-03 01:54:36 +02:00
..
lib v1.5.3 2014-04-08 10:57:13 -04:00
spec Convert specs to RSpec 2.99.2 syntax with Transpec 2014-09-03 01:54:36 +02:00
.gitignore ignore Gemfile.lock 2011-09-30 15:50:51 -05:00
.travis.yml deal with rbx travis setup later 2014-01-15 10:36:13 +01:00
Gemfile Use magic comment 2013-05-14 21:14:21 -07:00
License initial commit 2011-05-23 10:07:54 +02:00
README.md Add instrumentation support 2013-08-21 15:02:02 -04:00
Rakefile v1.4.0 2013-03-01 15:55:54 +11:00
rack-protection.gemspec v1.5.3 2014-04-08 10:57:13 -04:00

README.md

You should use protection!

This gem protects against typical web attacks. Should work for all Rack apps, including Rails.

Usage

Use all protections you probably want to use:

# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp

Skip a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp

Use a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp

Prevented Attacks

Cross Site Request Forgery

Prevented by:

  • Rack::Protection::AuthenticityToken (not included by use Rack::Protection)
  • Rack::Protection::FormToken (not included by use Rack::Protection)
  • Rack::Protection::JsonCsrf
  • Rack::Protection::RemoteReferrer (not included by use Rack::Protection)
  • Rack::Protection::RemoteToken
  • Rack::Protection::HttpOrigin

Cross Site Scripting

Prevented by:

  • Rack::Protection::EscapedParams (not included by use Rack::Protection)
  • Rack::Protection::XSSHeader (Internet Explorer only)

Clickjacking

Prevented by:

  • Rack::Protection::FrameOptions

Directory Traversal

Prevented by:

  • Rack::Protection::PathTraversal

Session Hijacking

Prevented by:

  • Rack::Protection::SessionHijacking

IP Spoofing

Prevented by:

  • Rack::Protection::IPSpoofing

Installation

gem install rack-protection

Instrumentation

Instrumentation is enabled by passing in an instrumenter as an option.

use Rack::Protection, instrumenter: ActiveSupport::Notifications

The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.