mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00

History

Samuel Williams 2ccd0dc29d Allow running with Rack 3. (#1811 ) * Allow running with Rack 3. * Pull in `rack-session` gem if needed. * Try again. * Use separate gemfiles for testing. * Better test titles. * Fix dependency on rack-test. * Add rackup gem. * Fix server registration. * Update rack version constraints Co-authored-by: Jordan Owens <jkowens@gmail.com>		2022-12-23 14:58:28 -05:00
..
lib	3.0.5 release	2022-12-16 18:13:16 -05:00
spec	Setup Rubocop (#1537 )	2022-07-31 08:56:44 -04:00
.gitignore	[issue-1275] add rake task to generate docs, similar to sinatra-contrib	2017-04-09 12:30:24 +05:30
.rspec	Restore RSpec init default files	2014-09-03 19:25:20 +02:00
Gemfile	Allow running with Rack 3. (#1811 )	2022-12-23 14:58:28 -05:00
License	Update LICENSE(s)	2017-03-19 12:05:31 +09:00
rack-protection.gemspec	rack-protection gemspec: Use https URL to homepage	2022-12-22 11:16:59 +01:00
Rakefile	Setup Rubocop (#1537 )	2022-07-31 08:56:44 -04:00
README.md	Change relative URLs to absolute URLS	2017-05-24 09:48:41 +09:00

README.md

Rack::Protection

This gem protects against typical web attacks. Should work for all Rack apps, including Rails.

Usage

Use all protections you probably want to use:

# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp

Skip a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp

Use a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp

Prevented Attacks

Cross Site Request Forgery

Prevented by:

Rack::Protection::AuthenticityToken (not included by use Rack::Protection)
Rack::Protection::FormToken (not included by use Rack::Protection)
Rack::Protection::JsonCsrf
Rack::Protection::RemoteReferrer (not included by use Rack::Protection)
Rack::Protection::RemoteToken
Rack::Protection::HttpOrigin

Cross Site Scripting

Prevented by:

Rack::Protection::EscapedParams (not included by use Rack::Protection)
Rack::Protection::XSSHeader (Internet Explorer and Chrome only)
Rack::Protection::ContentSecurityPolicy

Clickjacking

Prevented by:

Rack::Protection::FrameOptions

Directory Traversal

Prevented by:

Rack::Protection::PathTraversal

Session Hijacking

Prevented by:

Rack::Protection::SessionHijacking

Prevented by:

Rack::Protection::CookieTossing (not included by use Rack::Protection)

IP Spoofing

Prevented by:

Rack::Protection::IPSpoofing

Prevented by:

Rack::Protection::StrictTransport (not included by use Rack::Protection)

Installation

gem install rack-protection

Instrumentation

Instrumentation is enabled by passing in an instrumenter as an option.

use Rack::Protection, instrumenter: ActiveSupport::Notifications

The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.

README.md

Rack::Protection

Usage

Prevented Attacks

Cross Site Request Forgery

Cross Site Scripting

Clickjacking

Directory Traversal

Session Hijacking

Cookie Tossing

IP Spoofing

Helps to protect against protocol downgrade attacks and cookie hijacking

Installation

Instrumentation