Sha256: 8e561225cb612807804205867a940579021c9f7bc1e37c72d10ce83b31bea75b
Contents?: true
Size: 1.17 KB
Versions: 1
Compression:
Stored size: 1.17 KB
Contents
module Pah
module Templates
class SecureHeader < Pah::Template
def call
create_file 'config/initializers/secure_headers.rb' do
<<-EOF
::SecureHeaders::Configuration.configure do |config|
config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
config.x_frame_options = 'DENY'
config.x_content_type_options = "nosniff"
config.x_xss_protection = "1; mode=block"
config.csp = {
report_only: Rails.env.production?, # for the Content-Security-Policy-Report-Only header
preserve_schemes: false, # default: false.
default_src: %w(*), # all allowed in the beginning
script_src: %w('self' 'unsafe-inline'), # scripts only allowed in external files from the same origin
connect_src: %w('self'), # Ajax may connect only to the same origin
style_src: %w('self' 'unsafe-inline'), # styles only allowed in external files from the same origin and in style attributes (for now)
# report_uri: ["/csp_report?report_only=#{Rails.env.production?}"] # violation reports will be sent here
}
end
EOF
end
git add: 'config/initializers/secure_headers.rb'
git_commit 'Add secure headers.'
end
end
end
end
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| pah-0.0.28 | lib/pah/templates/secure_headers.rb |