1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
sinatra/rack-protection
Jordan Owens c2705ce139
Allow CSP to fallback to default-src (#1490)
* Allow content source to fallback to default-src

Remove defaults for script-src, style-src, connect-src, and img-src
so that they can fallback to default-src. The default for default-src
has been changed from 'none' to 'self'. This seems to be a safe default
especially as browsers implement prefetch-src. If stricter policies are
needed they can be specified when loading this middleware.

* Add support for webrtc-src, navigate-to, and prefetch-src directives
2020-03-13 17:07:34 -04:00
..
lib Allow CSP to fallback to default-src (#1490) 2020-03-13 17:07:34 -04:00
spec Allow CSP to fallback to default-src (#1490) 2020-03-13 17:07:34 -04:00
.gitignore [issue-1275] add rake task to generate docs, similar to sinatra-contrib 2017-04-09 12:30:24 +05:30
.rspec Restore RSpec init default files 2014-09-03 19:25:20 +02:00
Gemfile Fix gem source url 2018-02-23 02:12:20 +09:00
License Update LICENSE(s) 2017-03-19 12:05:31 +09:00
rack-protection.gemspec Add friendlier error message 2018-06-24 12:22:31 -04:00
Rakefile Write readme to includes as well 2017-05-08 08:59:12 +09:00
README.md Change relative URLs to absolute URLS 2017-05-24 09:48:41 +09:00

Rack::Protection

This gem protects against typical web attacks. Should work for all Rack apps, including Rails.

Usage

Use all protections you probably want to use:

# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp

Skip a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp

Use a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp

Prevented Attacks

Cross Site Request Forgery

Prevented by:

Cross Site Scripting

Prevented by:

Clickjacking

Prevented by:

Directory Traversal

Prevented by:

Session Hijacking

Prevented by:

Prevented by:

IP Spoofing

Prevented by:

Prevented by:

Installation

gem install rack-protection

Instrumentation

Instrumentation is enabled by passing in an instrumenter as an option.

use Rack::Protection, instrumenter: ActiveSupport::Notifications

The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.