58 lines
3.3 KiB
Ruby
58 lines
3.3 KiB
Ruby
require 'rack/protection/version'
|
|
require 'rack'
|
|
|
|
module Rack
|
|
module Protection
|
|
autoload :AuthenticityToken, 'rack/protection/authenticity_token'
|
|
autoload :Base, 'rack/protection/base'
|
|
autoload :CookieTossing, 'rack/protection/cookie_tossing'
|
|
autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
|
|
autoload :EscapedParams, 'rack/protection/escaped_params'
|
|
autoload :FormToken, 'rack/protection/form_token'
|
|
autoload :FrameOptions, 'rack/protection/frame_options'
|
|
autoload :HttpOrigin, 'rack/protection/http_origin'
|
|
autoload :IPSpoofing, 'rack/protection/ip_spoofing'
|
|
autoload :JsonCsrf, 'rack/protection/json_csrf'
|
|
autoload :PathTraversal, 'rack/protection/path_traversal'
|
|
autoload :ReferrerPolicy, 'rack/protection/referrer_policy'
|
|
autoload :RemoteReferrer, 'rack/protection/remote_referrer'
|
|
autoload :RemoteToken, 'rack/protection/remote_token'
|
|
autoload :SessionHijacking, 'rack/protection/session_hijacking'
|
|
autoload :StrictTransport, 'rack/protection/strict_transport'
|
|
autoload :XSSHeader, 'rack/protection/xss_header'
|
|
|
|
def self.new(app, options = {})
|
|
# does not include: RemoteReferrer, AuthenticityToken and FormToken
|
|
except = Array options[:except]
|
|
use_these = Array options[:use]
|
|
|
|
if options.fetch(:without_session, false)
|
|
except += [:session_hijacking, :remote_token]
|
|
end
|
|
|
|
Rack::Builder.new do
|
|
# Off by default, unless added
|
|
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
|
use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
|
|
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
|
|
use ::Rack::Protection::EscapedParams, options if use_these.include? :escaped_params
|
|
use ::Rack::Protection::FormToken, options if use_these.include? :form_token
|
|
use ::Rack::Protection::ReferrerPolicy, options if use_these.include? :referrer_policy
|
|
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
|
use ::Rack::Protection::StrictTransport, options if use_these.include? :strict_transport
|
|
|
|
# On by default, unless skipped
|
|
use ::Rack::Protection::FrameOptions, options unless except.include? :frame_options
|
|
use ::Rack::Protection::HttpOrigin, options unless except.include? :http_origin
|
|
use ::Rack::Protection::IPSpoofing, options unless except.include? :ip_spoofing
|
|
use ::Rack::Protection::JsonCsrf, options unless except.include? :json_csrf
|
|
use ::Rack::Protection::PathTraversal, options unless except.include? :path_traversal
|
|
use ::Rack::Protection::RemoteToken, options unless except.include? :remote_token
|
|
use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
|
|
use ::Rack::Protection::XSSHeader, options unless except.include? :xss_header
|
|
run app
|
|
end.to_app
|
|
end
|
|
end
|
|
end
|