119 lines
3.4 KiB
Markdown
119 lines
3.4 KiB
Markdown
# Rack::Protection
|
|
|
|
This gem protects against typical web attacks.
|
|
Should work for all Rack apps, including Rails.
|
|
|
|
# Usage
|
|
|
|
Use all protections you probably want to use:
|
|
|
|
``` ruby
|
|
# config.ru
|
|
require 'rack/protection'
|
|
use Rack::Protection
|
|
run MyApp
|
|
```
|
|
|
|
Skip a single protection middleware:
|
|
|
|
``` ruby
|
|
# config.ru
|
|
require 'rack/protection'
|
|
use Rack::Protection, :except => :path_traversal
|
|
run MyApp
|
|
```
|
|
|
|
Use a single protection middleware:
|
|
|
|
``` ruby
|
|
# config.ru
|
|
require 'rack/protection'
|
|
use Rack::Protection::AuthenticityToken
|
|
run MyApp
|
|
```
|
|
|
|
# Prevented Attacks
|
|
|
|
## Cross Site Request Forgery
|
|
|
|
Prevented by:
|
|
|
|
* [`Rack::Protection::AuthenticityToken`][authenticity-token] (not included by `use Rack::Protection`)
|
|
* [`Rack::Protection::FormToken`][form-token] (not included by `use Rack::Protection`)
|
|
* [`Rack::Protection::JsonCsrf`][json-csrf]
|
|
* [`Rack::Protection::RemoteReferrer`][remote-referrer] (not included by `use Rack::Protection`)
|
|
* [`Rack::Protection::RemoteToken`][remote-token]
|
|
* [`Rack::Protection::HttpOrigin`][http-origin]
|
|
|
|
## Cross Site Scripting
|
|
|
|
Prevented by:
|
|
|
|
* [`Rack::Protection::EscapedParams`][escaped-params] (not included by `use Rack::Protection`)
|
|
* [`Rack::Protection::XSSHeader`][xss-header] (Internet Explorer and Chrome only)
|
|
* [`Rack::Protection::ContentSecurityPolicy`][content-security-policy]
|
|
|
|
## Clickjacking
|
|
|
|
Prevented by:
|
|
|
|
* [`Rack::Protection::FrameOptions`][frame-options]
|
|
|
|
## Directory Traversal
|
|
|
|
Prevented by:
|
|
|
|
* [`Rack::Protection::PathTraversal`][path-traversal]
|
|
|
|
## Session Hijacking
|
|
|
|
Prevented by:
|
|
|
|
* [`Rack::Protection::SessionHijacking`][session-hijacking]
|
|
|
|
## Cookie Tossing
|
|
|
|
Prevented by:
|
|
* [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection`)
|
|
|
|
## IP Spoofing
|
|
|
|
Prevented by:
|
|
|
|
* [`Rack::Protection::IPSpoofing`][ip-spoofing]
|
|
|
|
## Helps to protect against protocol downgrade attacks and cookie hijacking
|
|
|
|
Prevented by:
|
|
|
|
* [`Rack::Protection::StrictTransport`][strict-transport] (not included by `use Rack::Protection`)
|
|
|
|
# Installation
|
|
|
|
gem install rack-protection
|
|
|
|
# Instrumentation
|
|
|
|
Instrumentation is enabled by passing in an instrumenter as an option.
|
|
```
|
|
use Rack::Protection, instrumenter: ActiveSupport::Notifications
|
|
```
|
|
|
|
The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.
|
|
|
|
[authenticity-token]: http://www.sinatrarb.com/protection/authenticity_token
|
|
[content-security-policy]: http://www.sinatrarb.com/protection/content_security_policy
|
|
[cookie-tossing]: http://www.sinatrarb.com/protection/cookie_tossing
|
|
[escaped-params]: http://www.sinatrarb.com/protection/escaped_params
|
|
[form-token]: http://www.sinatrarb.com/protection/form_token
|
|
[frame-options]: http://www.sinatrarb.com/protection/frame_options
|
|
[http-origin]: http://www.sinatrarb.com/protection/http_origin
|
|
[ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
|
|
[json-csrf]: http://www.sinatrarb.com/protection/json_csrf
|
|
[path-traversal]: http://www.sinatrarb.com/protection/path_traversal
|
|
[remote-referrer]: http://www.sinatrarb.com/protection/remote_referrer
|
|
[remote-token]: http://www.sinatrarb.com/protection/remote_token
|
|
[session-hijacking]: http://www.sinatrarb.com/protection/session_hijacking
|
|
[strict-transport]: http://www.sinatrarb.com/protection/strict_transport
|
|
[xss-header]: http://www.sinatrarb.com/protection/xss_header
|