lib/aaf/secure_headers.rb in aaf-secure_headers-1.0.0 vs lib/aaf/secure_headers.rb in aaf-secure_headers-1.1.0
- old
+ new
@@ -1,6 +1,7 @@
require 'aaf/secure_headers/version'
+require 'aaf/secure_headers/disable_secure_headers_for_error_pages'
require 'secure_headers'
require 'active_support/core_ext/integer/time'
module AAF
module SecureHeaders
@@ -34,8 +35,39 @@
img_src: ["'self'", 'data:'],
script_src: ["'self'"],
style_src: ["'self'", 'https://fonts.googleapis.com'],
report_uri: []
}
+ end
+
+ class <<self
+ def development_mode!
+ ensure_rails
+ insert_dev_middleware
+ override_dev_configuration
+ end
+
+ private
+
+ def ensure_rails
+ return if const_defined?('Rails')
+
+ raise 'The Rails class is not defined. The `development_mode!` helper '\
+ 'can only be used in a Rails application.'
+ end
+
+ def insert_dev_middleware
+ Rails.application.config.middleware.insert_after(
+ ::SecureHeaders::Middleware,
+ AAF::SecureHeaders::DisableSecureHeadersForErrorPages
+ )
+ end
+
+ def override_dev_configuration
+ ::SecureHeaders::Configuration.override(:default) do |config|
+ config.hsts = nil
+ config.csp[:upgrade_insecure_requests] = false
+ end
+ end
end
end
end