secure_headers
secure_headers copied to clipboard
github
Manages application of security headers with many safe defaults
From https://csp-evaluator.withgoogle.com : > Consider requiring Trusted Types for scripts to lock down DOM XSS injection sinks. You can do this by adding "require-trusted-types-for 'script'" to your policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for Example:...
Unlike e.g. `require-sri-for` (which our previous implementation for), the `require-trusted-types-for` directive uses: - Single-quoted `'script'` and `'none'` sources (in addition to `'allow-duplicates'`). - Unquoted policies in addition to those. See:...
Fixes the bug introduced with release v6.3.4 in #478 that causes errors like the following when using port wildcards such as `ws://localhost:*` in one's sources: ``` 2022-06-29 08:56:52 +0100 Rack...
## All PRs: * [x] Has tests * [ ] Documentation updated - N/A ## Adding a new header Generally, adding a new header is always OK. * Is the...
# Bugs Getting *URI::InvalidURIError: Invalid data URI* with the lastest 6.3.4 release, works in 6.3.3. ### Expected outcome Accept all URLs including `data:`. ### Actual outcome Fails in `def dedup_source_list(sources)`...
This PR adds Dependabot for GitHub Actions as described here - https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot As the checkout action is currently out of date, Dependabot will open a PR to update it if...
Refactors the rake task to enable testing of the changes made in #472 ## All PRs: * [x] Has tests * [ ] Documentation updated
`SecureHeaders` excessively deduplicates sources without taking schemes into account leading to removal of sources that shouldn't be removed. I think the problem is with [`dedup_source_list()`](https://github.com/twitter/secureheaders/blob/master/lib/secure_headers/headers/content_security_policy.rb#L151) which relies on filesystem-like matching....
## Summary It came up in https://github.com/github/secure_headers/pull/479 that we should start brainstorming the features for a new major version of Secure Headers. This is a holding issue for features and...
This PR updates the default value of the `X-XSS-Protection` header to 0. There's further discussion here about the reasons for this: https://github.com/github/secure_headers/issues/439. ## All PRs: * [x] Has tests *...
