I came across a case when a friend asked if we had a Java version of secureheaders, would be great to list different language implementations right in the README.

https://github.com/sourceclear/headlines

Problem:
Chrome sets the mime type application/csp-report and this prevents the ActionDispatch::ParamsParser middleware from parsing the post body and merging it into the params array. This means that using a forward_endpoint will not work since the forwarded params array will be empty.

Solution:

ActionDispatch::ParamsParser::DEFAULT_PARSERS["application/csp-report"] = :json

The current script-nonce support was back when script-nonce was its own source directive. With script hash, it has been rolled into script-src

HTTP header used for informing Adobe products as to how to handle cross domain policies.

https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html

https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

Specifies the meta-policy. The default value is master-only for all policy files except socket policy files, where the default is all. Allowed values are:

• none: No policy files are allowed anywhere on the target server, including this master policy file.
• master-only: Only this master policy file is allowed.
• by-content-type: [HTTP/HTTPS only] Only policy files served with Content-Type: text/x-cross-domain-policy are allowed.
• by-ftp-filename: [FTP only] Only policy files whose file names are crossdomain.xml (i.e. URLs ending in /crossdomain.xml) are allowed.
• all: All policy files on this target domain are allowed.

map.csp_endpoint on Rails 3.0.x is fail.

When I start the server with this route enabled, I get an ArgumentError.

Using toolmantim/user_agent_parser would be better than my ported library that is getting out of date...

Issue #55 seems to have gotten undone somehow from secure_headers 0.4.3 to 0.5.0. CSP headers are sent to Safari 5.1 (7534.48.3) when I use 0.5.0 but not if I switch back to 0.4.3.

For use in Rails 4, make sure threading works!

A browser detecting a CSP violation tries to post that violation to the secure_headers CSP end point on our server (ie. /content_security_policy/forward_report), but it 404s on that endpoint when in a non-development environment.

We did however, notice that setting consider_all_requests_local = true in the settings for that non-development environment would enable that end-point and allow the browser to post the violations to the server, but of course we don't want that as our production environment solution.

So is anyone else seeing this behaviour?

FYI, we're using:

• rails: 3.2.15
• secure_headers: 1.0.0

Also:

> RAILS_ENV=staging bundle exec rake routes |grep content_security_policy
  content_security_policy_forward_report POST   /content_security_policy/forward_report(.:format)                                     content_security_policy#scribe

> echo "Rails.application.routes.recognize_path('/content_security_policy/forward_report')" | RAILS_ENV=staging bundle exec rails c
Loading staging environment (Rails 3.2.15)
Switch to inspect mode.
Rails.application.routes.recognize_path('/content_security_policy/forward_report')
{:controller=>"application", :action=>"render_error_404", :not_found=>"content_security_policy/forward_report"}

Test to ensure CSP policy enforcement is working as expected.

default-src 'self'; 

Try to load an image, stylesheet, etc

This will also work as a test that will signal when Firefox has fixed the inline style CSP bug (add bugzilla reference)

Perhaps only in RAILS_ENV=development or something. Seems wasteful. I'm not even sure it's worth putting it behind an option.

Given that firefox/chrome GA releases support the standard... not much reasoning behind supoorting the X- versions. Especially since they break all the time.

Your CA bundle curl-ca-bundle.crt is broken, outdated and contains invalid root CA certificates. See curl/curl@51f0b79 and https://www.imperialviolet.org/2012/01/30/mozillaroots.html

There have been a few cases where this unnecessary abstraction caused confusion. It's a before_filter and that should be the main interface, or at least an option.

before_filter :set_all_security_headers
skip_before_filter :set_csp_header if crazy_stuff?
skip_before_filter :set_x_frame_options_header if stuff_needs_to_be_framed?

Perhaps this is a new feature? I found it in the W3C CSP spec while investigating the X-XSS-Protection header:

https://w3c.github.io/webappsec/specs/content-security-policy/#directive-reflected-xss

Hi!
I've added secureheaders to an app I'm developing, and while it works fine in my development environment, when I deploy it to heroku I get this error:

Error Message:
SecureHeaders::STSBuildError: max-age must be a number. 99 was supplied.

Where:
devise/sessions#new
[PROJECT_ROOT]/vendor/bundle/ruby/1.9.1/gems/secure_headers-0.3.0/lib/secure_headers/headers/strict_transport_security.rb, line 45

Any ideas of what is happening?

Thanks in advance!

(If not already supported)

https://twitter.com/ndm/status/433355106965139458

Hi,
setting csp: false while configuring ensure_security_headers results in having "img-src chrome-extension" in the X-WebKit-CSP-Report-Only header on Chrome.
Which produce warnings in the console when loading any image from elsewhere than chrome extensions.
I think -but I may be wrong- that this is not the intended effect when setting csp to false.
what do you think?
cheers
Vincent

The csp forwarder has multiple issues and has been annoying to maintain. Fork it out into a separate gem and let it go it's own direction

Currently a route to content_security_policy#scribe is always added, even in cases when forwarding is not set up. Instead of NOOP

  def scribe
    csp = ::SecureHeaders::Configuration.csp || {}

    forward_endpoint = csp[:forward_endpoint]
    if forward_endpoint
      forward_params_to(forward_endpoint)
    end

    head :ok

can the route not be installed in the first place ?

For x_frame_options, as ALLOW-FROM is not supported by all browsers, would a pull request that returns ALLOW vs DENY based on the referrer be useful for this project?

Supply w3 header to Firefox 23+

No tags make sad: https://github.com/twitter/secureheaders/releases

Would be great to add github release notes too!
https://github.com/blog/1547-release-your-software

Yeah, why not. From the discussion #79

Another relic of the original implementation, one massive spec file which pays no regard to the law of demeter needs to be broken down into chunks that make sense.

Generates a warning in non-firefox browsers. Harmless, but causes complaints.

I'm sorry if this is straight forward, but I can't seem to get this to work under Sinatra.

I created an initializer following the suggestion in the readme. However when I start the rails server, I get:
/config/initializers/secure_headers.rb:1:in `<top (required)>': uninitialized constant SecureHeaders (NameError)

In fixing #3, I introduced a worse bug:

AppCon
ensure_security_headers

RandomCon
ensure_security_headers :csp => 'holy crap batman'

Now all requests get 'holy crap batman' regardless of the controller. Class loading determines which Controller owns the settings.

Use https://practicingruby.com/articles/shared/scqtutaqfldp to cheat building such a parser

Given that the plan is to only support the standard CSP header in #73, the only other piece that uses UA sniffing is the X-Content-Type-Options support. It's probably fine to send this to safari/firefox/other as well. This would close #72

Currently there is UA sniffing and SSL detection, but this should also be allowed to be provided as options. This allows pre-configured headers for the various scenarios so they aren't generated per request.

Most people will want to do something pretty custom with their reports. Some will log directly to a public endpoint. Some will implement and endpoint and send it to various sources. A question on stackoverflow got me thinking about this.

However, there should be something built in to do some basic aggregation/display with no effort. A few ideas:

• Store in db, create UI for viewing/visualizing, perhaps with search (requires extra config/infra). Should this be restricted to Rails.env.development?
• Log to separate log file in human readable format
• Serialize to JSON for use with other visualization tools
• Hook into growl/browser if violations are unexpected? (tangental)

With a UI, it would be nice to have:

• Policy validator (should this be built into config initialization?)
• Policy adjustment suggestions (restrict/loosen, redundant)
• Indication that inline script, eval script, mixed-content, etc are allowed. With the goal to eliminate all issues.

Supporting this could actually add functionality useful in a prod scenario

• Add a value to the config file that takes a block and yields the JSON hash
• Specify a class name that implements csp_report (essentially no different from a custom endpoint implementation, but pluggable)

I don't think it's wise to try and build something production-ready. And of course, this should involve no code changes other than a configuration tweak.

The csp class gets a C on code climate. This because it really is two classes in one. Subclass it w/ Firefox v WebKit impls, remove conditional logic inside various methods.

I'm working to get our rails boot time down, as we've been running into issues where the app's boot time exceeds the 60 seconds allowed for by Heroku. In doing this, I've noticed that secure_headers is the slowest loading gem by a large margin. Using bumbler, I tracked down the five slowest gems to these:

 427.33  rocket_pants
 632.43  rails
 651.41  delayed_job
 959.41  newrelic_rpm
1439.04  secure_headers

I've fixed our boot time and am moving on, but I thought I'd let you know how slow the gem takes to load; it would be great to speed it up some how.

Where should this be included? In the application module in a rails app?

A use case came up where I had to jank around the need for the report-uri to be determined per request. The API supports this but the recommended config requires adding some jank to emulate this.

This seems like a good use case to accept anything that is callable for a config value, at least for CSP.

https://w3c.github.io/webappsec/specs/content-security-policy/#directive-referrer

Figure out witch version started emitting this warning message, and conditionally serve new header for all versions > X

https://w3c.github.io/webappsec/specs/content-security-policy/#directive-plugin-types

After reading http://www.dotnetnoob.com/2012/09/security-through-http-response-headers.html, we should add this.

X-Download-Options: noopen

http://blogs.msdn.com/b/ieinternals/archive/2009/06/30/internet-explorer-custom-http-headers.aspx

While IE has special handling of the X-Content-Type-Options header for the general "don't ignore the content-type and try to sniff", Chrome also respects the header but for a very specific use case.

http://developer.chrome.com/extensions/hosting.html

A server that hosts .crx files must use appropriate HTTP headers, so that users can install the file by clicking a link to it.

Google Chrome considers a file to be installable if either of the following is true:

• The file has the content type application/x-chrome-extension
• The file suffix is .crx and both of the following are true:
  • The file is not served with the HTTP header X-Content-Type-Options: nosniff
  • The file is served with one of the following content types:
    • empty string
    • "text/plain"
    • "application/octet-stream"
    • "unknown/unknown"
    • "application/unknown"
    • "/"

Would be awesome if this gem supported that specific case somehow...

And maybe the other fields that are excluded

I am seeing the following error:

TypeError: can't convert Fixnum into String

From: [GEM_ROOT]/gems/secure_headers-0.4.1/lib/secure_headers/headers/strict_transport_security.rb, line 32

With the following configuration:

::SecureHeaders::Configuration.configure do |config|
  config.hsts = {:max_age => 99, :include_subdomains => true}
  config.x_frame_options = 'DENY'
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = {:value => 1, :mode => 'block'}
  config.csp = false
end

The code for every header that isn't CSP is too common enough not to abstract this away. Adding a support for a new header shouldn't involve copy/pasting code.

In the case of doing firefox forwarding, you may have to send the report to a host that does not match the report_uri. In this case, we need to support two separate report_uris.

Consider just using forward_endpoint and don't allow the override of the endpoint? That seems to be what people think forward_endpoint is anyways.

Was tweaking a policy for a rails 4 site to NOT apply some of the X headers, but naturally they were applied due to the new default headers feature.

It seems using secure_headers means you don't want to use the built-in feature.