secure_headers.rb in pah-0.0.28

- old
+ new
@@ -1,27 +1,28 @@
 module Pah
   module Templates
     class SecureHeader < Pah::Template
       def call
-        content = <<EOF
-
-  ensure_security_headers # See more: https://github.com/twitter/secureheaders
-EOF
-
-        inject_into_file 'app/controllers/application_controller.rb', content, after: 'with: :exception', verbose: false
-
         create_file 'config/initializers/secure_headers.rb' do
           <<-EOF
 ::SecureHeaders::Configuration.configure do |config|
-  config.hsts = {:max_age => 20.years.to_i, :include_subdomains => true}
+  config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
   config.x_frame_options = 'DENY'
   config.x_content_type_options = "nosniff"
-  config.x_xss_protection = {:value => 1, :mode => 'block'}
-  config.csp = false
+  config.x_xss_protection = "1; mode=block"
+  config.csp = {
+    report_only: Rails.env.production?, # for the Content-Security-Policy-Report-Only header
+    preserve_schemes: false, # default: false.
+
+    default_src: %w(*), # all allowed in the beginning
+    script_src: %w('self' 'unsafe-inline'), # scripts only allowed in external files from the same origin
+    connect_src: %w('self'), # Ajax may connect only to the same origin
+    style_src: %w('self' 'unsafe-inline'), # styles only allowed in external files from the same origin and in style attributes (for now)
+    # report_uri: ["/csp_report?report_only=#{Rails.env.production?}"] # violation reports will be sent here
+  }
 end
 EOF
         end
-        git add: 'app/controllers/application_controller.rb'
         git add: 'config/initializers/secure_headers.rb'
         git_commit 'Add secure headers.'
       end
     end
   end