README.md in secure_headers-3.0.0 vs README.md in secure_headers-3.0.1
- old
+ new
@@ -54,10 +54,11 @@
child_src: %w('self'),
form_action: %w('self' github.com),
frame_ancestors: %w('none'),
plugin_types: %w(application/x-shockwave-flash),
block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
+ upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
report_uri: %w(https://example.com/uri-directive)
}
config.hpkp = {
report_only: false,
max_age: 60.days.to_i,
@@ -128,11 +129,11 @@
By default, a noop configuration is provided. No headers will be set when this default override is used.
```ruby
class MyController < ApplicationController
def index
- SecureHeaders::opt_out_of_all_protection(request)
+ SecureHeaders.opt_out_of_all_protection(request)
end
end
```
## Per-action configuration
@@ -189,11 +190,11 @@
`append_content_security_policy_directives(script_src: %w(mycdn.com))` | `default-src 'self'; script-src 'self' mycdn.com`
`override_content_security_policy_directives(script_src: %w(mycdn.com))` | `default-src 'self'; script-src mycdn.com`
#### Nonce
-script/style-nonce can be used to whitelist inline content. To do this, call the SecureHeaders::content_security_policy_nonce then set the nonce attributes on the various tags.
+script/style-nonce can be used to whitelist inline content. To do this, call the `SecureHeaders.content_security_policy_nonce` then set the nonce attributes on the various tags.
Setting a nonce will also set 'unsafe-inline' for browsers that don't support nonces for backwards compatibility. 'unsafe-inline' is ignored if a nonce is present in a directive in compliant browsers.
```erb
<script nonce="<%= content_security_policy_nonce %>">
@@ -278,10 +279,10 @@
class Donkey < Sinatra::Application
set :root, APP_ROOT
get '/' do
- SecureHeaders.override_x_frame_options(SecureHeaders::OPT_OUT)
+ SecureHeaders.override_x_frame_options(request, SecureHeaders::OPT_OUT)
haml :index
end
end
```