README.md in secure_headers-0.3.0 vs README.md in secure_headers-0.4.0
- old
+ new
@@ -35,17 +35,29 @@
- `ensure_security_headers`: will set security-related headers automatically based on the configuration below.
By default, it will set all of the headers listed in the options section below unless specified.
+### Disabling
+
+Use the standard `skip_before_filter :filter_name, options` mechanism. e.g. `skip_before_filter :set_csp_header, :only => :tinymce_page`
+
+The following methods are going to be called, unles they are provided in a `skip_before_filter` block.
+
+* `:set_csp_header`
+* `:set_hsts_header`
+* `:set_x_frame_options_header`
+* `:set_x_xss_protection_header`
+* `:set_x_content_type_options_header`
+
### Automagic
This gem makes a few assumptions about how you will use some features. For example:
* It adds 'chrome-extension:' to your CSP directives by default. This helps drastically reduce the amount of reports, but you can also disable this feature by supplying :disable_chrome_extension => true.
* It fills any blank directives with the value in :default_src Getting a default\-src report is pretty useless. This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true.
-* It copies the connect\-src value to xhr\-src for AJAX requests.
+* It copies the connect\-src value to xhr\-src for AJAX requests when using Firefox.
* Firefox does not support cross\-origin CSP reports. If we are using Firefox, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`). This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :forward_endpoint without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
## Configuration
@@ -54,11 +66,11 @@
```ruby
::SecureHeaders::Configuration.configure do |config|
config.hsts = {:max_age => 99, :include_subdomains => true}
config.x_frame_options = 'DENY'
config.x_content_type_options = "nosniff"
- config.x_xss_protection = {:value => '1', :mode => false}
+ config.x_xss_protection = {:value => 1, :mode => false}
config.csp = {
:default_src => "https://* inline eval",
:report_uri => '//example.com/uri-directive',
:img_src => "https://* data:",
:frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
@@ -89,11 +101,11 @@
### Widely supported
```ruby
:hsts => {:max_age => 631138519, :include_subdomain => true}
:x_frame_options => {:value => 'SAMEORIGIN'}
-:x_xss_protection => {:value => '1', :mode => false} # set the :mode option to 'block' to enforce the browser's xss filter
+:x_xss_protection => {:value => 1, :mode => false} # set the :mode option to 'block' to enforce the browser's xss filter
```
### Content Security Policy (CSP)
All browsers will receive the webkit csp header except Firefox, which gets its own header.
@@ -233,11 +245,11 @@
::SecureHeaders::Configuration.configure do |config|
config.hsts = {:max_age => 99, :include_subdomains => true}
config.x_frame_options = 'DENY'
config.x_content_type_options = "nosniff"
- config.x_xss_protection = {:value => '1', :mode => false}
+ config.x_xss_protection = {:value => 1, :mode => false}
config.csp = {
:default_src => "https://* inline eval",
:report_uri => '//example.com/uri-directive',
:img_src => "https://* data:",
:frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
@@ -247,11 +259,11 @@
class Donkey < Sinatra::Application
include SecureHeaders
set :root, APP_ROOT
get '/' do
- set_csp_header(request, nil)
+ set_csp_header
haml :index
end
end
```
@@ -284,10 +296,10 @@
:frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
}
end
get '/' do
- set_csp_header(request, nil)
+ set_csp_header
render 'index'
end
end
end
```