README.md in secure_headers-1.1.1 vs README.md in secure_headers-1.2.0

- old
+ new

@@ -83,13 +83,14 @@ Or simply add it to application controller ```ruby ensure_security_headers( - :hsts => {:include_subdomains, :x_frame_options => false}, + :hsts => {:include_subdomains => true, :max_age => 20.years.to_i}, :x_frame_options => 'DENY', - :csp => false) + :csp => false +) ``` ## Options for ensure\_security\_headers **To disable any of these headers, supply a value of false (e.g. :hsts => false), supplying nil will set the default value** @@ -115,10 +116,13 @@ See [WebKit specification](http://www.w3.org/TR/CSP/) and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specification) ```ruby :csp => { + + # All values can be a String of space-delimited values, an Array of Strings, or procs. + :enforce => false, # sets header to report-only, by default # default_src is required! :default_src => nil, # sets the default-src/allow+options directives # Where reports are sent. Use protocol relative URLs if you are posting to the same domain (TLD+1). Use paths if you are posting to the application serving the header @@ -160,17 +164,10 @@ :img_src => 'https://mycdn.example.com', :http_additions { :img_src => 'http://mycdn.example.com' } } - - # script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows - # you to whitelist inline script blocks. For more information, see - # https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce - :script_nonce => lambda { @script_nonce = SecureRandom.hex } - # which can be used to whitelist a script block: - # script_tag :nonce = @script_nonce { inline_script_call() } } ``` ### Example CSP header config @@ -194,21 +191,27 @@ # Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript :csp => { :default_src => 'self', :img_src => '*', + :connect_src => 'none' :object_src => ['media1.com', 'media2.com', '*.cdn.com'], - # alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com' - :script_src => 'trustedscripts.example.com' + # alternatively :object_src => 'media1.com media2.com *.cdn.com' + :script_src => 'trustedscripts.example.com', + :report_uri => lambda { + if FeatureToggle.available?(:new_csp_endpoint) + '//example.com/new_csp' + else + '//example.com/old_csp' + end + } } -"default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;" +"default-src 'self'; connect-src 'none'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com; report-uri [one of the two values in the example]" ``` ## Note on Firefox handling of CSP -Currently, Firefox does not support the w3c draft standard. So there are a few steps taken to make the two interchangeable. - * CSP reports will not POST cross\-origin. This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint` ### Adding the Firefox report forwarding endpoint **You need to add the following line to the TOP of confib/routes.rb** @@ -302,10 +305,10 @@ ## Similar libraries * Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood) * J2EE Servlet >= 3.0 [highlines](https://github.com/sourceclear/headlines) * ASP.NET - [NWebsec](http://nwebsec.codeplex.com/) -* Python - [django-csp](https://github.com/mozilla/django-csp/tree/master/csp) + [commonware](https://github.com/jsocol/commonware/tree/master/commonware/request) +* Python - [django-csp](https://github.com/mozilla/django-csp/) + [commonware](https://github.com/jsocol/commonware/) * Go - [secureheader](https://github.com/kr/secureheader) ## Authors * Neil Matatall [@ndm](https://twitter.com/ndm) - primary author.