New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New API Implementation #191

merged 24 commits into from Dec 11, 2015


None yet
4 participants

oreoshake commented Nov 5, 2015

Followup to #181. As with the last PR, it's probably better to ignore the diff and look at the code directly.

The biggest change in this PR is the added support for "named overrides" - additional configuration objects that can be referenced by name. The header values are all precomputed so named overrides save the overhead of building a policy per request.

(from the readme

class ApplicationController < ActionController::Base
  SecureHeaders::Configuration.default do |config|
    config.csp = {
      default_src: %w('self'),
      script_src: %w(

  # override default configuration
  SecureHeaders::Configuration.override(:script_from_otherdomain_com) do |config|
    config.csp[:script_src] << ""

  # overrides the :script_from_otherdomain_com configuration
  SecureHeaders::Configuration.override(:another_config, :script_from_otherdomain_com) do |config|
    config.csp[:script_src] << ""

class MyController < ApplicationController
  def index
    # Produces default-src 'self'; script-src

  def show
    # Produces default-src 'self'; script-src

oreoshake added some commits Oct 20, 2015

Merge pull request #184 from twitter/mutating-global-regression
fix regression with mutation of global state
Cache UserAgentParser instance
Thanks to @igrep for pointing this out.

Fixes #187
Merge pull request #188 from twitter/user-agent-parser
Cache UserAgentParser instance
Major rewrite:
Configure a global default and named overrides
Use helper methods to set/modify configurations at runtime
Set the headers in middleware based on the configuration saved to request.env

Configuration changes:
All headers require string values except for CSP and HPKP
CSP directives must be arrays of strings, no more support for space-delimited strings or procs

@oreoshake oreoshake referenced this pull request Nov 5, 2015


[WIP] New API Implementation #181

8 of 9 tasks complete Outdated
config.hpkp = {
:max_age => 60.days.to_i,
:include_subdomains => true,
:report_uri => '//',
:report_uri => "https//",

This comment has been minimized.


stve Nov 5, 2015


missing a : here

oreoshake and others added some commits Nov 5, 2015

Keep unsafe-* around when a * is provided.

default-src * 'unsafe-inline' 'unsafe-eval' http: https:

can be reduced to:

default-src * 'unsafe-inline' 'unsafe-eval'

Previously, the unsafe-* values were removed but * does not cover
the unsafe-* values.
Merge pull request #193 from twitter/calling-name-on-nil-value
Fix issue with opting out of headers when using header_hash method

This comment has been minimized.


oreoshake commented Dec 11, 2015

This code is now running on I'll let it sit for a few days and release a 3.0 gem. I'll add an "upgrading to 3.0 wiki" entry in the meantime since it is very much a breaking change.

oreoshake added a commit that referenced this pull request Dec 11, 2015

@oreoshake oreoshake merged commit 1918ce2 into 3.x Dec 11, 2015

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
continuous-integration/travis-ci/push The Travis CI build passed

@oreoshake oreoshake deleted the env-rack-config branch Dec 11, 2015


This comment has been minimized.


reedloden commented on lib/secure_headers/railtie.rb in 32bb3f5 Feb 25, 2016

Just noticed 'X-Permitted-Cross-Domain-Policies' and 'X-Content-Type-Options' are listed twice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment