Sha256: e8571005a2fd18f9d6dd326c950d66c56a605bc4d4ecb06a39cc1f50df4d43a7

Contents?: true

Size: 1.75 KB

Versions: 7

Compression:

Stored size: 1.75 KB

Contents

require 'net/https'
require 'openssl'

class ContentSecurityPolicyController < ActionController::Base
  CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)

  def scribe
    csp = ::SecureHeaders::Configuration.csp || {}

    forward_endpoint = csp[:forward_endpoint]
    if forward_endpoint
      forward_params_to(forward_endpoint)
    end

    head :ok
  rescue StandardError => e
    log_warning(forward_endpoint, e)
    head :bad_request
  end

  private

  def forward_params_to(forward_endpoint)
    uri = URI.parse(forward_endpoint)
    http = Net::HTTP.new(uri.host, uri.port)
    if uri.scheme == 'https'
      use_ssl(http)
    end

    if request.content_type == "application/csp-report"
      request.body.rewind
      params.merge!(ActiveSupport::JSON.decode(request.body.read))
    end

    ua = request.user_agent
    xff = forwarded_for

    request = Net::HTTP::Post.new(uri.to_s)
    request.initialize_http_header({
      'User-Agent' => ua,
      'X-Forwarded-For' => xff,
      'Content-Type' => 'application/json',
    })
    request.body = params.to_json

    # fire and forget
    if defined?(Delayed::Job)
      http.delay.request(request)
    else
      http.request(request)
    end
  end

  def forwarded_for
    req_xff = request.env["HTTP_X_FORWARDED_FOR"]
    if req_xff && req_xff != ""
      "#{req_xff}, #{request.remote_ip}"
    else
      request.remote_ip
    end
  end

  def use_ssl request
    request.use_ssl = true
    request.ca_file = CA_FILE
    request.verify_mode = OpenSSL::SSL::VERIFY_PEER
    request.verify_depth = 9
  end

  def log_warning(forward_endpoint, e)
    if defined?(Rails.logger)
      Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
    end
  end
end

Version data entries

7 entries across 7 versions & 1 rubygems

Version Path
secure_headers-1.3.4 app/controllers/content_security_policy_controller.rb
secure_headers-1.3.3 app/controllers/content_security_policy_controller.rb
secure_headers-1.3.2 app/controllers/content_security_policy_controller.rb
secure_headers-1.3.1 app/controllers/content_security_policy_controller.rb
secure_headers-1.3.0 app/controllers/content_security_policy_controller.rb
secure_headers-1.2.0 app/controllers/content_security_policy_controller.rb
secure_headers-1.1.1 app/controllers/content_security_policy_controller.rb