secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

Remove non-lowercase headers in Rails default configuration (fixes #541)

Open obrie opened this issue 10 months ago • 1 comments

This implements the solution proposed in https://github.com/github/secure_headers/issues/541

The full details of the issue can are described in that ticket. To summarize:

While secure_headers now uses lowercase headers (as required by Rack 3+), the Rails default configuration still defines non-lowercase headers. As a result, our Railtie will not remove those conflicting headers.

This change ensures that we're accounting for both lowercase and non-lowercase default headers in Rails (for current Rails defaults and future defaults).

All PRs:

  • [ ] Has tests
  • [x] Documentation updated

Adding a new header

Generally, adding a new header is always OK.

  • Is the header supported by any user agent? If so, which?
  • What does it do?
  • What are the valid values for the header?
  • Where does the specification live?

Adding a new CSP directive

  • Is the directive supported by any user agent? If so, which?
  • What does it do?
  • What are the valid values for the directive?

obrie avatar Mar 20 '25 13:03 obrie

Any chance we can get a maintainer to review this?

obrie avatar Apr 30 '25 14:04 obrie