secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

Add simple static configuration option for bypassing application of all security headers

Open h0jeZvgoxFepBQ2C opened this issue 5 years ago β€’ 5 comments

Is there a way to enable this gem in an initializer completely?

F.e. we host our app for different customers, but due to various reasons we want to upgrade manually.

So I would like to enable secure_headers at runtime, like f.e:

if ENV["ENABLE_STRICT_HEADERS"]
  SecureHeaders::Configuration.default do |config|
    ...
  end
else
  SecureHeaders::Configuration.disable! # <= (or something like this)
end

I also don't want to opt out the settings, I completely want to disable secure headers (since sometimes we have set special headers by ourself and we will have to migrate them to secure headers first).

h0jeZvgoxFepBQ2C avatar Dec 15 '20 10:12 h0jeZvgoxFepBQ2C

Hello @h0jeZvgoxFepBQ2C, I can't recall if there's a shorthand way for doing this but you can set each config.<header_name> = SecureHeaders::OPT_OUT to avoid the default behavior. Alternatively, and probably a worse idea would be to do it per request with SecureHeaders.opt_out_of_all_protection(request) in some before_action.

I agree that would be a cool addition. I doubly like that you ended your proposed api with a ! πŸ’₯

oreoshake avatar Dec 15 '20 19:12 oreoshake

Thanks @oreoshake ,

I did something like this now:

if ENV["DISABLE_SECURE_HEADERS"]
  SecureHeaders::Configuration.default do |config|
    config.cookies = SecureHeaders::OPT_OUT
    config.hsts = SecureHeaders::OPT_OUT
    config.x_frame_options = SecureHeaders::OPT_OUT
    config.x_content_type_options = SecureHeaders::OPT_OUT
    config.x_xss_protection = SecureHeaders::OPT_OUT
    config.x_download_options = SecureHeaders::OPT_OUT
    config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT
    config.referrer_policy = SecureHeaders::OPT_OUT
    config.csp = SecureHeaders::OPT_OUT
  end
else
...
end

Would be maybe good to add such a small disable method, so you don't have to specify all settings manually (and maybe miss some, if new keys are implemented in future versions). And yeah, maybe there shouldn't be a ! πŸ˜„

Shall I leave this issue open? Or close it, since there is a workaround somehow?

h0jeZvgoxFepBQ2C avatar Dec 15 '20 22:12 h0jeZvgoxFepBQ2C

I was in favor of the ! ! ❗ Apologies if that came out as sarcasm πŸ‘ΌπŸ»

I think it would be a good addition and therefore would be worth keeping open in case someone decides to implement it.

oreoshake avatar Dec 15 '20 22:12 oreoshake

I've updated the title to reflect that this issue is less of a question and more of a valid, useful feature request.

oreoshake avatar May 06 '21 06:05 oreoshake

I have a doubt, I don't know if I can put it here but I already looked for where it would be better and I decided here. My question and doubt and I have thought about it a lot: where but the code to apply the gem in a jekyll project?

I have already installed the gem and everything but I don't see that it reflects the headers in the web project. So I don't know how or where to apply it, whether in head or body.

I remain attentive and I hope you can help me. Beforehand thank you very much.

LeoWebSEO avatar Oct 27 '22 17:10 LeoWebSEO