Skip to content
This repository

You should use protection!


latest commit 6cfaeb0495
Thais Camilo and Konstantin Haase authored rkh committed
Octocat-spinner-32 lib v1.5.3 April 08, 2014
Octocat-spinner-32 spec clarify reaction warning, test it March 13, 2014
Octocat-spinner-32 .gitignore ignore Gemfile.lock September 30, 2011
Octocat-spinner-32 .travis.yml deal with rbx travis setup later January 15, 2014
Octocat-spinner-32 Gemfile Use magic comment May 14, 2013
Octocat-spinner-32 License initial commit May 23, 2011
Octocat-spinner-32 Add instrumentation support August 21, 2013
Octocat-spinner-32 Rakefile v1.4.0 March 01, 2013
Octocat-spinner-32 rack-protection.gemspec v1.5.3 April 08, 2014

You should use protection!

This gem protects against typical web attacks. Should work for all Rack apps, including Rails.


Use all protections you probably want to use:

require 'rack/protection'
use Rack::Protection
run MyApp

Skip a single protection middleware:

require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp

Use a single protection middleware:

require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp

Prevented Attacks

Cross Site Request Forgery

Prevented by:

  • Rack::Protection::AuthenticityToken (not included by use Rack::Protection)
  • Rack::Protection::FormToken (not included by use Rack::Protection)
  • Rack::Protection::JsonCsrf
  • Rack::Protection::RemoteReferrer (not included by use Rack::Protection)
  • Rack::Protection::RemoteToken
  • Rack::Protection::HttpOrigin

Cross Site Scripting

Prevented by:

  • Rack::Protection::EscapedParams (not included by use Rack::Protection)
  • Rack::Protection::XSSHeader (Internet Explorer only)


Prevented by:

  • Rack::Protection::FrameOptions

Directory Traversal

Prevented by:

  • Rack::Protection::PathTraversal

Session Hijacking

Prevented by:

  • Rack::Protection::SessionHijacking

IP Spoofing

Prevented by:

  • Rack::Protection::IPSpoofing


gem install rack-protection


Instrumentation is enabled by passing in an instrumenter as an option.

use Rack::Protection, instrumenter: ActiveSupport::Notifications

The instrumenter is passed a namespace (String) and environment (Hash). The namespace is '' and the attack type can be obtained from the environment key ''.

Something went wrong with that request. Please try again.