Sha256: 2b4c63d10adb8771d5c7e782ef4e25183220c3a1c78bd4ccd71378d7df165ab1
Contents?: true
Size: 1.44 KB
Versions: 8
Compression:
Stored size: 1.44 KB
Contents
module Codesake
module Dawn
module Kb
module OwaspRorCheatSheet
class SecurityRelatedHeaders
include PatternMatchCheck
def initialize
message = "To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the \"default_headers\" functionality that will automatically apply the values supplied. This works for most headers in almost all cases."
super({
:name=>"Owasp Ror CheatSheet: Security Related Headers",
:kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
:applies=>["rails"],
:glob=>"**/controllers/*.rb",
:aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
:message=>message,
:attack_pattern => [
"response.headers\\['X-Frame-Options'\\] = 'DENY'",
"response.headers\\['X-Content-Type-Options'\\] = 'nosniff'",
"response.headers\\['X-XSS-Protection'\\] = '1'",
"ActionDispatch::Response.default_headers = {
'X-Frame-Options' => 'DENY',
'X-Content-Type-Options' => 'nosniff',
'X-XSS-Protection' => '1;'
}"],
:negative_search=>true
})
end
end
end
end
end
end
Version data entries
8 entries across 8 versions & 1 rubygems