Sha256: 15c8559c0de647ec4cc7e9d6a25c0a06aef46fcfd012e18b78c739d3122808c5
Contents?: true
Size: 1.75 KB
Versions: 23
Compression:
Stored size: 1.75 KB
Contents
module SecureHeaders
class Middleware
HPKP_SAME_HOST_WARNING = "[WARNING] HPKP report host should not be the same as the request host. See https://github.com/twitter/secureheaders/issues/166"
def initialize(app)
@app = app
end
# merges the hash of headers into the current header set.
def call(env)
req = Rack::Request.new(env)
status, headers, response = @app.call(env)
config = SecureHeaders.config_for(req)
if config.hpkp_report_host == req.host
Kernel.warn(HPKP_SAME_HOST_WARNING)
end
flag_cookies!(headers, override_secure(env, config.cookies)) if config.cookies
headers.merge!(SecureHeaders.header_hash_for(req))
[status, headers, response]
end
private
# inspired by https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194
def flag_cookies!(headers, config)
if cookies = headers['Set-Cookie']
# Support Rails 2.3 / Rack 1.1 arrays as headers
cookies = cookies.split("\n") unless cookies.is_a?(Array)
headers['Set-Cookie'] = cookies.map do |cookie|
SecureHeaders::Cookie.new(cookie, config).to_s
end.join("\n")
end
end
# disable Secure cookies for non-https requests
def override_secure(env, config = {})
if scheme(env) != 'https'
config.merge!(secure: false)
end
config
end
# derived from https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L119
def scheme(env)
if env['HTTPS'] == 'on' || env['HTTP_X_SSL_REQUEST'] == 'on'
'https'
elsif env['HTTP_X_FORWARDED_PROTO']
env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
else
env['rack.url_scheme']
end
end
end
end
Version data entries
23 entries across 23 versions & 1 rubygems