secure_headers
secure_headers copied to clipboard
github
Manages application of security headers with many safe defaults
# Bugs ## Nonced tag helpers including nonce directive in csp has potential to break applications ### Problem Given an application with inline script tags, and a CSP that allows...
This is more of a meta issue where I'm going to drop notes before actually coming up with a documented plan. We intend to go through this process in the...
# Bugs > Note: The plugin-types grammar allows for an empty directive value in which case all instantions of embed and object will fail. https://w3c.github.io/webappsec-csp/#directive-plugin-types We validate it must match...
I want to set `upgrade_insecure_requests` only if the page is requested over HTTPS, because I don't use HTTPS when developing on localhost (i.e. when developing, I browse http://localhost, not https://localhost)....
# Feature Request ## Adding a new header ## Is the header supported by any user agent? If so, which? Chrome v76 and chromium-based browsers v79. Firefox is working to...
# Feature Request Rails does not allow you to set multiple headers with the same name, but CSP allows this. However, multiple headers that are comma separated can be used...
One thing about CSP that I've always found extremely dangerous is it's ability to generate an enormous amount of traffic for a reporting endpoint if you hit browser bugs or...
Hi! 👋 We started using SameSite configuration on a few of our cookies, I misread the docs, goofed, and did this: ```ruby samesite: { strict: ['butter_cookie'] } ``` This does...
One of the features of secure_headers is that it will do a lot to shrink the size of a complicated policy: * Using child-src/frame-src based on bug from 2 years...
When I have the following as part of my csp header config: ```ruby config.csp = { frame_ancestors: %w[*.foo.com http://www.foo.com], preserve_schemes: true, ... } ``` and I'm serving my frame over...
