README.md in secure_headers-3.0.3 vs README.md in secure_headers-3.1.0

- old
+ new

@@ -27,11 +27,11 @@ All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely. ```ruby SecureHeaders::Configuration.default do |config| - config.hsts = "max-age=#{20.years.to_i}" + config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload" config.x_frame_options = "DENY" config.x_content_type_options = "nosniff" config.x_xss_protection = "1; mode=block" config.x_download_options = "noopen" config.x_permitted_cross_domain_policies = "none" @@ -55,17 +55,17 @@ form_action: %w('self' github.com), frame_ancestors: %w('none'), plugin_types: %w(application/x-shockwave-flash), block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/) upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/ - report_uri: %w(https://example.com/uri-directive) + report_uri: %w(https://report-uri.io/example-csp) } config.hpkp = { report_only: false, max_age: 60.days.to_i, include_subdomains: true, - report_uri: "https://example.com/uri-directive", + report_uri: "https://report-uri.io/example-hpkp", pins: [ {sha256: "abc"}, {sha256: "123"} ] } @@ -173,11 +173,11 @@ When manipulating content security policy, there are a few things to consider. The default header value is `default-src https:` which corresponds to a default configuration of `{ default_src: %w(https:)}`. #### Append to the policy with a directive other than `default_src` -The value of `default_src` is joined with the addition. Note the `https:` is carried over from the `default-src` config. If you do not want this, use `override_content_security_policy_directives` instead. To illustrate: +The value of `default_src` is joined with the addition if the it is a [fetch directive](https://w3c.github.io/webappsec-csp/#directives-fetch). Note the `https:` is carried over from the `default-src` config. If you do not want this, use `override_content_security_policy_directives` instead. To illustrate: ```ruby ::SecureHeaders::Configuration.default do |config| config.csp = { default_src: %w('self') @@ -253,11 +253,11 @@ pins: [ {sha256: 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c'}, {sha256: '73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f'} ], report_only: true, # defaults to false (report-only mode) - report_uri: '//example.com/uri-directive', + report_uri: 'https://report-uri.io/example-hpkp', app_name: 'example', tag_report_uri: true } ``` @@ -285,56 +285,21 @@ haml :index end end ``` -### Using with Padrino - -You can use SecureHeaders for Padrino applications as well: - -In your `Gemfile`: - -```ruby - gem "secure_headers", require: 'secure_headers' -``` - -then in your `app.rb` file you can: - -```ruby -Padrino.use(SecureHeaders::Middleware) -require 'secure_headers/padrino' - -module Web - class App < Padrino::Application - register SecureHeaders::Padrino - - get '/' do - render 'index' - end - end -end -``` - -and in `config/boot.rb`: - -```ruby -def before_load - SecureHeaders::Configuration.default do |config| - ... - end -end -``` - ## Similar libraries * Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers) * Node.js (express) [helmet](https://github.com/helmetjs/helmet) and [hood](https://github.com/seanmonstar/hood) * Node.js (hapi) [blankie](https://github.com/nlf/blankie) * J2EE Servlet >= 3.0 [headlines](https://github.com/sourceclear/headlines) * ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki) * Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security) * Go - [secureheader](https://github.com/kr/secureheader) * Elixir [secure_headers](https://github.com/anotherhale/secure_headers) +* Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security) +* Ember.js [ember-cli-content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy/) ## License Copyright 2013-2014 Twitter, Inc and other contributors.