application.rb.tt in hanami-0.8.0

- old
+ new

@@ -60,11 +60,11 @@
       #
       # Options: :domain   - The domain (String - nil by default, not required)
       #          :path     - Restrict cookies to a relative URI (String - nil by default)
       #          :max_age  - Cookies expiration expressed in seconds (Integer - nil by default)
       #          :secure   - Restrict cookies to secure connections
-      #                      (Boolean - Automatically set on true if currenlty using a secure connection)
+      #                      (Boolean - Automatically set on true if currently using a secure connection)
       #                      See #scheme and #ssl?
       #          :httponly - Prevent JavaScript access (Boolean - true by default)
       #
       # cookies true
       # or
@@ -162,12 +162,33 @@
       # Read more at:
       #
       #   * https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
       #   * https://www.owasp.org/index.php/Clickjacking
       #
-      security.x_frame_options "DENY"
+      security.x_frame_options 'DENY'
 
+      # X-Content-Type-Options prevents browsers from interpreting files as
+      # something else than declared by the content type in the HTTP headers.
+      #
+      # Read more at:
+      #
+      #   * https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-Content-Type-Options
+      #   * https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx
+      #   * https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update
+      #
+      security.x_content_type_options 'nosniff'
+
+      # X-XSS-Protection is a HTTP header to determine the behavior of the browser
+      # in case an XSS attack is detected.
+      #
+      # Read more at:
+      #
+      #   * https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
+      #   * https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-XSS-Protection
+      #
+      security.x_xss_protection '1; mode=block'
+
       # Content-Security-Policy (CSP) is a HTTP header supported by modern browsers.
       # It determines trusted sources of execution for dynamic contents
       # (JavaScript) or other web related assets: stylesheets, images, fonts,
       # plugins, etc.
       #
@@ -195,11 +216,32 @@
       # Content Security Policy usage:
       #
       #  * http://content-security-policy.com/
       #  * https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy
       #
-      security.content_security_policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self';"
+      # Content Security Policy references:
+      #
+      #  * https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
+      #
+      security.content_security_policy %{
+        form-action 'self';
+        referrer origin-when-cross-origin;
+        reflected-xss block;
+        frame-ancestors 'self';
+        base-uri 'self';
+        default-src 'none';
+        script-src 'self';
+        connect-src 'self';
+        img-src 'self';
+        style-src 'self';
+        font-src 'self';
+        object-src 'self';
+        plugin-types application/pdf;
+        child-src 'self';
+        frame-src 'self';
+        media-src 'self'
+      }
 
       ##
       # FRAMEWORKS
       #
 
@@ -226,45 +268,80 @@
     # DEVELOPMENT
     #
     configure :development do
       # Don't handle exceptions, render the stack trace
       handle_exceptions false
+
+      # Logger
+      # See: http://hanamirb.org/guides/applications/logging
+      #
+      # Logger stream. It defaults to STDOUT.
+      # logger.stream "log/development.log"
+      #
+      # Logger level. It defaults to DEBUG
+      # logger.level :debug
+      #
+      # Logger format. It defaults to DEFAULT
+      # logger.format :default
     end
 
     ##
     # TEST
     #
     configure :test do
       # Don't handle exceptions, render the stack trace
       handle_exceptions false
+
+      # Logger
+      # See: http://hanamirb.org/guides/applications/logging
+      #
+      # Logger level. It defaults to ERROR
+      logger.level :error
     end
 
     ##
     # PRODUCTION
     #
     configure :production do
       # scheme 'https'
       # host   'example.org'
       # port   443
 
+      # Logger
+      # See: http://hanamirb.org/guides/applications/logging
+      #
+      # Logger stream. It defaults to STDOUT.
+      # logger.stream "log/production.log"
+      #
+      # Logger level. It defaults to INFO
+      logger.level :info
+
+      # Logger format.
+      logger.format :json
+
       assets do
         # Don't compile static assets in production mode (eg. Sass, ES6)
         #
         # See: http://www.rubydoc.info/gems/hanami-assets#Configuration
         compile false
 
         # Use digest file name for asset paths
         #
-        # See: http://hanamirb.org/guides/assets/digest
+        # See: http://hanamirb.org/guides/assets/overview
         digest  true
 
         # Content Delivery Network (CDN)
         #
         # See: http://hanamirb.org/guides/assets/content-delivery-network
         #
         # scheme 'https'
         # host   'cdn.example.org'
         # port   443
+
+        # Subresource Integrity
+        #
+        # See: http://hanamirb.org/guides/assets/subresource-integrity
+        subresource_integrity :sha256
       end
     end
   end
 end