1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
sinatra/rack-protection
Konstantin Haase 48e74cf1fa update readme
2011-06-19 15:06:08 +02:00
..
lib remove "not yet implemented" comments if not true 2011-06-19 14:54:29 +02:00
spec implement session hijacking prevention 2011-05-29 13:01:47 +02:00
.gitignore initial commit 2011-05-23 10:07:54 +02:00
Gemfile initial commit 2011-05-23 10:07:54 +02:00
License initial commit 2011-05-23 10:07:54 +02:00
rack-protection.gemspec add escape_utils as dependency 2011-05-28 17:49:38 +02:00
Rakefile initial commit 2011-05-23 10:07:54 +02:00
README.md update readme 2011-06-19 15:06:08 +02:00

You should use protection!

This gem protects against typical web attacks. Should work for all Rack apps, including Rails.

Usage

Use all protections you probably want to use:

# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp

Skip a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp

Use a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp

Prevented Attacks

Cross Site Request Forgery

Prevented by:

  • Rack::Protection::AuthenticityToken (not included by use Rack::Protection)
  • Rack::Protection::FormToken (not included by use Rack::Protection)
  • Rack::Protection::NoReferrer (not included by use Rack::Protection)
  • Rack::Protection::RemoteReferrer (not included by use Rack::Protection)
  • Rack::Protection::RemoteToken

Cross Site Scripting

Prevented by:

  • Rack::Protection::EscapedParams
  • Rack::Protection::XssHeader (Internet Explorer only)

Clickjacking

Prevented by:

  • Rack::Protection::FrameOptions

Directory Traversal

Prevented by:

  • Rack::Protection::PathTraversal

Session Hijacking

Prevented by:

  • Rack::Protection::SessionHijacking

Installation

gem install rack-protection

TODO

  • Properly implement FormToken