secure_headers
secure_headers copied to clipboard
github
Manages application of security headers with many safe defaults
At GitHub, we set the `default-src` CSP attribute to `none`. This provides the strictest possible CSP as it'll thus only allow CSP directives that the user explicitly has allowlisted. It...
CSP double policies enable setups that are not possible with just one CSP. When a browser sees a response with multiple CSP headers (or a single CSP header split via...
# Feature Requests Currently, the view_helpers don't include a `nonced_javascript_packs_with_chunks_tag`. This would be a handy addition for those folks using `webpacker` with split chunks enabled. See: https://github.com/rails/webpacker/blob/master/lib/webpacker/helper.rb#L83-L85
Related https://github.com/helmetjs/x-xss-protection/issues/14 There’s some good discussion there. The owasp consensus is that it does more harm than good. We’ve always allowed people to override this setting, but maybe we should...
Hi there I would like to create random hashes from the inline script by using sha256 like the following results: Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=' Appreciate for your kind asist. Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
Note: this issue used to focus on feature policy. Feature policy has been replaced with permissions-policy. While the two aren't equal, they are somewhat interchangeable for the discussion to this...
On secure_headers 5.x it was possible to override the CSP directives when optin out without having to define a default_src. Now on 6.x it is required to set the default_src...
A discussion in https://github.com/twitter/secure_headers/issues/275 was about ensuring that rails gets support for feature policy and how it would require an API similar to the CSP API. It made me think...
Just like CSP and XFO, referrer-policy needs to have per-action configurability.
Is there a way to enable this gem in an initializer completely? F.e. we host our app for different customers, but due to various reasons we want to upgrade manually....
