1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
sinatra/rack-protection
2012-12-10 16:26:11 +01:00
..
lib make session hijacking middleware ignore case, fixes #11 2012-12-10 16:26:11 +01:00
spec make session hijacking middleware ignore case, fixes #11 2012-12-10 16:26:11 +01:00
.gitignore ignore Gemfile.lock 2011-09-30 15:50:51 -05:00
.travis.yml Updated Travis CI configuration 2012-05-12 22:32:40 +07:00
Gemfile upgrade rake 2012-09-05 16:07:28 +02:00
License initial commit 2011-05-23 10:07:54 +02:00
rack-protection.gemspec bump version 2011-12-30 13:08:30 +01:00
Rakefile initial commit 2011-05-23 10:07:54 +02:00
README.md Reflect fix issue #8 by ae9c33001f6ac8e3955a76e0d11c647a3081fc58 into README.md 2012-05-13 22:35:28 +09:00

You should use protection!

This gem protects against typical web attacks. Should work for all Rack apps, including Rails.

Usage

Use all protections you probably want to use:

# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp

Skip a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp

Use a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp

Prevented Attacks

Cross Site Request Forgery

Prevented by:

  • Rack::Protection::AuthenticityToken (not included by use Rack::Protection)
  • Rack::Protection::FormToken (not included by use Rack::Protection)
  • Rack::Protection::JsonCsrf
  • Rack::Protection::RemoteReferrer (not included by use Rack::Protection)
  • Rack::Protection::RemoteToken
  • Rack::Protection::HttpOrigin

Cross Site Scripting

Prevented by:

  • Rack::Protection::EscapedParams (not included by use Rack::Protection)
  • Rack::Protection::XssHeader (Internet Explorer only)

Clickjacking

Prevented by:

  • Rack::Protection::FrameOptions

Directory Traversal

Prevented by:

  • Rack::Protection::PathTraversal

Session Hijacking

Prevented by:

  • Rack::Protection::SessionHijacking

IP Spoofing

Prevented by:

  • Rack::Protection::IPSpoofing

Installation

gem install rack-protection

History

v0.1.0 (2011/06/20)

First public release.

v1.0.0 (2011/09/02)

First stable release.

Changes:

  • Fix bug in JsonCsrf

v1.1.0 (2011/09/03)

Second public release.

Changes:

  • Dependency on escape_utils is now optional