secure_headers
secure_headers copied to clipboard
github
Manages application of security headers with many safe defaults
Recently, we've had a spate of fixes for parsing directives and source expressions, stemming from the fact that the code doesn't understand the format of valid expressions, and makes local...
# Bugs Currently there hasn't been a successful update on this gem since [6.5.0 according to RubyGems](https://rubygems.org/gems/secure_headers). However there's been two releases since then and those have failed. Here's the...
## Adding a new CSP directive Report-uri seems to be depricated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri Instead we want to use both, report-uri and report-to, to be future proof and backward compatible. * Is...
### Expected outcome I am using GoodJob to process jobs on Rails 6. The GoodJob dashboard includes a number of scripts and styles. These all have nonces set using the...
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. Release notes Sourced from actions/checkout's releases. v4.0.0 What's Changed Update default runtime to node20 by @takost in actions/checkout#1436 Support fetching without the --progress option...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
# Bugs SecureHeaders is not compatible with this change from [Rack 3](https://github.com/rack/rack/blob/main/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array) as SH uses `\n` encoded cookies in [flag_cookies!](https://github.com/github/secure_headers/blob/main/lib/secure_headers/middleware.rb#L29): > Response header values can be an Array to handle...
I added the `secure_headers` gem to my project as we needed to implement CSP. When configuring the policy, I was going to add the `report-to` directive as it seems that...
## All PRs: * [x] Has tests * [ ] Documentation updated fixes #514 by adding compatibility with Rack 3 which doesn't support muplitple headers joined with `\n`
Bumps [ruby/setup-ruby](https://github.com/ruby/setup-ruby) from 1.207.0 to 1.230.0. Release notes Sourced from ruby/setup-ruby's releases. v1.230.0 What's Changed Add ruby-3.3.8 by @ruby-builder-bot in ruby/setup-ruby#736 Update CRuby releases on Windows by @ruby-builder-bot in ruby/setup-ruby#737...
This implements the solution proposed in https://github.com/github/secure_headers/issues/541 The full details of the issue can are described in that ticket. To summarize: While secure_headers now uses lowercase headers (as required by...
