mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00

History

Reenan Arbitrario 99897fa5d1 include application/xml and text/xml content-types to valid html_types for Rack::Protection create additional unit test add application/xml content-type		2018-03-30 13:15:20 -07:00
..
lib	include application/xml and text/xml content-types to valid html_types for Rack::Protection	2018-03-30 13:15:20 -07:00
spec	include application/xml and text/xml content-types to valid html_types for Rack::Protection	2018-03-30 13:15:20 -07:00
.gitignore
.rspec
Gemfile	Fix gem source url	2018-02-23 02:12:20 +09:00
License
rack-protection.gemspec	Update RSpec 3 for rack-protection to use latest version.	2017-06-19 12:40:14 +02:00
Rakefile	Write readme to includes as well	2017-05-08 08:59:12 +09:00
README.md	Change relative URLs to absolute URLS	2017-05-24 09:48:41 +09:00

README.md

Rack::Protection

This gem protects against typical web attacks. Should work for all Rack apps, including Rails.

Usage

Use all protections you probably want to use:

# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp

Skip a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp

Use a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp

Prevented Attacks

Cross Site Request Forgery

Prevented by:

Rack::Protection::AuthenticityToken (not included by use Rack::Protection)
Rack::Protection::FormToken (not included by use Rack::Protection)
Rack::Protection::JsonCsrf
Rack::Protection::RemoteReferrer (not included by use Rack::Protection)
Rack::Protection::RemoteToken
Rack::Protection::HttpOrigin

Cross Site Scripting

Prevented by:

Rack::Protection::EscapedParams (not included by use Rack::Protection)
Rack::Protection::XSSHeader (Internet Explorer and Chrome only)
Rack::Protection::ContentSecurityPolicy

Clickjacking

Prevented by:

Rack::Protection::FrameOptions

Directory Traversal

Prevented by:

Rack::Protection::PathTraversal

Session Hijacking

Prevented by:

Rack::Protection::SessionHijacking

Prevented by:

Rack::Protection::CookieTossing (not included by use Rack::Protection)

IP Spoofing

Prevented by:

Rack::Protection::IPSpoofing

Prevented by:

Rack::Protection::StrictTransport (not included by use Rack::Protection)

Installation

gem install rack-protection

Instrumentation

Instrumentation is enabled by passing in an instrumenter as an option.

use Rack::Protection, instrumenter: ActiveSupport::Notifications

The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.

README.md

Rack::Protection

Usage

Prevented Attacks

Cross Site Request Forgery

Cross Site Scripting

Clickjacking

Directory Traversal

Session Hijacking

Cookie Tossing

IP Spoofing

Helps to protect against protocol downgrade attacks and cookie hijacking

Installation

Instrumentation