Sha256: fd38618f8b76e5420e0d7174914463e7d173014c5050674bafc7ae5415bf90bc
Contents?: true
Size: 1.68 KB
Versions: 21
Compression:
Stored size: 1.68 KB
Contents
## Cookies SecureHeaders supports `Secure`, `HttpOnly` and [`SameSite`](https://tools.ietf.org/html/draft-west-first-party-cookies-07) cookies. These can be defined in the form of a boolean, or as a Hash for more refined configuration. __Note__: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests. #### Defaults By default, all cookies will get both `Secure`, `HttpOnly`, and `SameSite=Lax`. ```ruby config.cookies = { secure: true, # defaults to true but will be a no op on non-HTTPS requests httponly: true, # defaults to true samesite: { # defaults to set `SameSite=Lax` lax: true } } ``` #### Boolean-based configuration Boolean-based configuration is intended to globally enable or disable a specific cookie attribute. *Note: As of 4.0, you must use OPT_OUT rather than false to opt out of the defaults.* ```ruby config.cookies = { secure: true, # mark all cookies as Secure httponly: OPT_OUT, # do not mark any cookies as HttpOnly } ``` #### Hash-based configuration Hash-based configuration allows for fine-grained control. ```ruby config.cookies = { secure: { except: ['_guest'] }, # mark all but the `_guest` cookie as Secure httponly: { only: ['_rails_session'] }, # only mark the `_rails_session` cookie as HttpOnly } ``` #### SameSite cookie configuration SameSite cookies permit either `Strict` or `Lax` enforcement mode options. ```ruby config.cookies = { samesite: { strict: true # mark all cookies as SameSite=Strict } } ``` `Strict` and `Lax` enforcement modes can also be specified using a Hash. ```ruby config.cookies = { samesite: { strict: { only: ['_rails_session'] }, lax: { only: ['_guest'] } } } ```
Version data entries
21 entries across 21 versions & 1 rubygems
Version | Path |
---|---|
secure_headers-4.0.0.alpha01 | docs/cookies.md |