Comments (5)
oreoshake
commented on June 11, 2024
1
I've updated the title to reflect that this issue is less of a question and more of a valid, useful feature request.
from secure_headers.
oreoshake
commented on June 11, 2024
Hello @h0jeZvgoxFepBQ2C, I can't recall if there's a shorthand way for doing this but you can set each config.<header_name> = SecureHeaders::OPT_OUT to avoid the default behavior. Alternatively, and probably a worse idea would be to do it per request with SecureHeaders.opt_out_of_all_protection(request) in some before_action.
I agree that would be a cool addition. I doubly like that you ended your proposed api with a ! π₯
from secure_headers.
h0jeZvgoxFepBQ2C
commented on June 11, 2024
Thanks @oreoshake ,
I did something like this now:
if ENV["DISABLE_SECURE_HEADERS"]
SecureHeaders::Configuration.default do |config|
config.cookies = SecureHeaders::OPT_OUT
config.hsts = SecureHeaders::OPT_OUT
config.x_frame_options = SecureHeaders::OPT_OUT
config.x_content_type_options = SecureHeaders::OPT_OUT
config.x_xss_protection = SecureHeaders::OPT_OUT
config.x_download_options = SecureHeaders::OPT_OUT
config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT
config.referrer_policy = SecureHeaders::OPT_OUT
config.csp = SecureHeaders::OPT_OUT
end
else
...
endWould be maybe good to add such a small disable method, so you don't have to specify all settings manually (and maybe miss some, if new keys are implemented in future versions). And yeah, maybe there shouldn't be a ! π
Shall I leave this issue open? Or close it, since there is a workaround somehow?
from secure_headers.
oreoshake
commented on June 11, 2024
I was in favor of the ! ! β Apologies if that came out as sarcasm πΌπ»
I think it would be a good addition and therefore would be worth keeping open in case someone decides to implement it.
from secure_headers.
LeoWebSEO
commented on June 11, 2024
I have a doubt, I don't know if I can put it here but I already looked for where it would be better and I decided here. My question and doubt and I have thought about it a lot: where but the code to apply the gem in a jekyll project?
I have already installed the gem and everything but I don't see that it reflects the headers in the web project. So I don't know how or where to apply it, whether in head or body.
I remain attentive and I hope you can help me. Beforehand thank you very much.
from secure_headers.
Related Issues (20)
- Setting SameSite cookie attribute conditionally HOT 4
- Guide for transitioning from secure_headers to vanilla rails csp HOT 3
- Incorrect Version as latest release HOT 1
- nonced tag helpers including nonce directive in csp has potential to break applications HOT 17
- Add support for CSP level 3 HOT 3
- Why is CSP in report only mode blocking requests? HOT 3
- Add require-trusted-types-for to CSP HOT 3
- Support CSP "double policies"
- Major Version 7.0.0 HOT 1
- Set `default-src` CSP Attribute to `none` by default HOT 1
- URI::InvalidURIError: Invalid data URI HOT 1
- Installation instructions unclear HOT 1
- jekyll integration HOT 3
- How can I disable 'unsafe-inline' from script-src? HOT 1
- test issue
- test issue
- `content_security_policy_nonce` calls Rails method so CSP does not contain nonce
- CSP Report-uri deprecated, replaced by report-to
- RubyGems doesn't have latest version of this gem HOT 1
- SecureHeaders middleware erases all cookies in Rack 3 due to \n joining HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secure_headers.