class SecureHeaders::Configuration

Constants

DEFAULT_CONFIG
HASH_CONFIG_FILE
NOOP_CONFIGURATION

Attributes

cached_headers[R]
cookies[R]
csp[R]
dynamic_csp[RW]
hpkp[R]
hpkp_report_host[R]
hsts[W]
referrer_policy[W]
x_content_type_options[W]
x_download_options[W]
x_frame_options[W]
x_permitted_cross_domain_policies[W]
x_xss_protection[W]

Public Class Methods

configure(&block)
Alias for: default
default(&block) click to toggle source

Public: Set the global default configuration.

Optionally supply a block to override the defaults set by this library.

Returns the newly created config.

# File lib/secure_headers/configuration.rb, line 15
def default(&block)
  config = new(&block)
  add_noop_configuration
  add_configuration(DEFAULT_CONFIG, config)
end
Also aliased as: configure
get(name = DEFAULT_CONFIG) click to toggle source

Public: retrieve a global configuration object

Returns the configuration with a given name or raises a NotYetConfiguredError if `default` has not been called.

# File lib/secure_headers/configuration.rb, line 42
def get(name = DEFAULT_CONFIG)
  if @configurations.nil?
    raise NotYetConfiguredError, "Default policy not yet supplied"
  end
  @configurations[name]
end
named_append(name, target = nil, &block) click to toggle source
# File lib/secure_headers/configuration.rb, line 54
def named_append(name, target = nil, &block)
  @appends ||= {}
  raise "Provide a configuration block" unless block_given?
  @appends[name] = block
end
named_appends(name) click to toggle source
# File lib/secure_headers/configuration.rb, line 49
def named_appends(name)
  @appends ||= {}
  @appends[name]
end
new(&block) click to toggle source
# File lib/secure_headers/configuration.rb, line 132
def initialize(&block)
  self.hpkp = OPT_OUT
  self.referrer_policy = OPT_OUT
  self.csp = self.class.send(:deep_copy, CSP::DEFAULT_CONFIG)
  instance_eval &block if block_given?
end
override(name, base = DEFAULT_CONFIG, &block) click to toggle source

Public: create a named configuration that overrides the default config.

name - use an idenfier for the override config. base - override another existing config, or override the default config if no value is supplied.

Returns: the newly created config

# File lib/secure_headers/configuration.rb, line 29
def override(name, base = DEFAULT_CONFIG, &block)
  unless get(base)
    raise NotYetConfiguredError, "#{base} policy not yet supplied"
  end
  override = @configurations[base].dup
  override.instance_eval &block if block_given?
  add_configuration(name, override)
end

Private Class Methods

add_configuration(name, config) click to toggle source

Private: add a valid configuration to the global set of named configs.

config - the config to store name - the lookup value for this config

Raises errors if the config is invalid or if a config named `name` already exists.

Returns the config, if valid

# File lib/secure_headers/configuration.rb, line 71
def add_configuration(name, config)
  config.validate_config!
  @configurations ||= {}
  config.send(:cache_headers!)
  config.send(:cache_hpkp_report_host)
  config.freeze
  @configurations[name] = config
end
add_noop_configuration() click to toggle source

Private: Automatically add an “opt-out of everything” override.

Returns the noop config

# File lib/secure_headers/configuration.rb, line 83
def add_noop_configuration
  noop_config = new do |config|
    ALL_HEADER_CLASSES.each do |klass|
      config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
    end
    config.dynamic_csp = OPT_OUT
  end

  add_configuration(NOOP_CONFIGURATION, noop_config)
end
deep_copy(config) click to toggle source

Public: perform a basic deep dup. The shallow copy provided by dup/clone can lead to modifying parent objects.

# File lib/secure_headers/configuration.rb, line 96
def deep_copy(config)
  config.each_with_object({}) do |(key, value), hash|
    hash[key] = if value.is_a?(Array)
      value.dup
    else
      value
    end
  end
end
deep_copy_if_hash(value) click to toggle source

Private: convenience method purely DRY things up. The value may not be a hash (e.g. OPT_OUT, nil)

# File lib/secure_headers/configuration.rb, line 108
def deep_copy_if_hash(value)
  if value.is_a?(Hash)
    deep_copy(value)
  else
    value
  end
end

Public Instance Methods

current_csp() click to toggle source
# File lib/secure_headers/configuration.rb, line 183
def current_csp
  @dynamic_csp || @csp
end
dup() click to toggle source

Public: copy everything but the cached headers

Returns a deep-dup'd copy of this configuration.

# File lib/secure_headers/configuration.rb, line 142
def dup
  copy = self.class.new
  copy.cookies = @cookies
  copy.csp = self.class.send(:deep_copy_if_hash, @csp)
  copy.dynamic_csp = self.class.send(:deep_copy_if_hash, @dynamic_csp)
  copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
  copy.x_content_type_options = @x_content_type_options
  copy.hsts = @hsts
  copy.x_frame_options = @x_frame_options
  copy.x_xss_protection = @x_xss_protection
  copy.x_download_options = @x_download_options
  copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
  copy.referrer_policy = @referrer_policy
  copy.hpkp = @hpkp
  copy.hpkp_report_host = @hpkp_report_host
  copy
end
opt_out(header) click to toggle source
# File lib/secure_headers/configuration.rb, line 160
def opt_out(header)
  send("#{header}=", OPT_OUT)
  if header == CSP::CONFIG_KEY
    dynamic_csp = OPT_OUT
  end
  self.cached_headers.delete(header)
end
rebuild_csp_header_cache!(user_agent) click to toggle source

Public: generated cached headers for a specific user agent.

# File lib/secure_headers/configuration.rb, line 174
def rebuild_csp_header_cache!(user_agent)
  self.cached_headers[CSP::CONFIG_KEY] = {}
  unless current_csp == OPT_OUT
    user_agent = UserAgent.parse(user_agent)
    variation = CSP.ua_to_variation(user_agent)
    self.cached_headers[CSP::CONFIG_KEY][variation] = CSP.make_header(current_csp, user_agent)
  end
end
secure_cookies=(secure_cookies) click to toggle source
# File lib/secure_headers/configuration.rb, line 205
def secure_cookies=(secure_cookies)
  Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#secure_cookies=` is deprecated. Please use `#cookies=` to configure secure cookies instead."
  @cookies = (@cookies || {}).merge(secure: secure_cookies)
end
update_x_frame_options(value) click to toggle source
# File lib/secure_headers/configuration.rb, line 168
def update_x_frame_options(value)
  @x_frame_options = value
  self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value)
end
validate_config!() click to toggle source

Public: validates all configurations values.

Raises various configuration errors if any invalid config is detected.

Returns nothing

# File lib/secure_headers/configuration.rb, line 192
def validate_config!
  StrictTransportSecurity.validate_config!(@hsts)
  ContentSecurityPolicy.validate_config!(@csp)
  ReferrerPolicy.validate_config!(@referrer_policy)
  XFrameOptions.validate_config!(@x_frame_options)
  XContentTypeOptions.validate_config!(@x_content_type_options)
  XXssProtection.validate_config!(@x_xss_protection)
  XDownloadOptions.validate_config!(@x_download_options)
  XPermittedCrossDomainPolicies.validate_config!(@x_permitted_cross_domain_policies)
  PublicKeyPins.validate_config!(@hpkp)
  Cookie.validate_config!(@cookies)
end

Protected Instance Methods

cached_headers=(headers) click to toggle source
# File lib/secure_headers/configuration.rb, line 224
def cached_headers=(headers)
  @cached_headers = headers
end
cookies=(cookies) click to toggle source
# File lib/secure_headers/configuration.rb, line 220
def cookies=(cookies)
  @cookies = cookies
end
csp=(new_csp) click to toggle source
# File lib/secure_headers/configuration.rb, line 212
def csp=(new_csp)
  if self.dynamic_csp
    raise IllegalPolicyModificationError, "You are attempting to modify CSP settings directly. Use dynamic_csp= instead."
  end

  @csp = self.class.send(:deep_copy_if_hash, new_csp)
end
hpkp=(hpkp) click to toggle source
# File lib/secure_headers/configuration.rb, line 228
def hpkp=(hpkp)
  @hpkp = self.class.send(:deep_copy_if_hash, hpkp)
end
hpkp_report_host=(hpkp_report_host) click to toggle source
# File lib/secure_headers/configuration.rb, line 232
def hpkp_report_host=(hpkp_report_host)
  @hpkp_report_host = hpkp_report_host
end

Private Instance Methods

cache_headers!() click to toggle source

Public: Precompute the header names and values for this configuraiton. Ensures that headers generated at configure time, not on demand.

Returns the cached headers

# File lib/secure_headers/configuration.rb, line 250
def cache_headers!
  # generate defaults for the "easy" headers
  headers = (ALL_HEADERS_BESIDES_CSP).each_with_object({}) do |klass, hash|
    config = instance_variable_get("@#{klass::CONFIG_KEY}")
    unless config == OPT_OUT
      hash[klass::CONFIG_KEY] = klass.make_header(config).freeze
    end
  end

  generate_csp_headers(headers)

  headers.freeze
  self.cached_headers = headers
end
cache_hpkp_report_host() click to toggle source
# File lib/secure_headers/configuration.rb, line 238
def cache_hpkp_report_host
  has_report_uri = @hpkp && @hpkp != OPT_OUT && @hpkp[:report_uri]
  self.hpkp_report_host = if has_report_uri
    parsed_report_uri = URI.parse(@hpkp[:report_uri])
    parsed_report_uri.host
  end
end
generate_csp_headers(headers) click to toggle source

Private: adds CSP headers for each variation of CSP support.

headers - generated headers are added to this hash namespaced by The

different variations

Returns nothing

# File lib/secure_headers/configuration.rb, line 271
def generate_csp_headers(headers)
  unless @csp == OPT_OUT
    headers[CSP::CONFIG_KEY] = {}
    csp_config = self.current_csp
    CSP::VARIATIONS.each do |name, _|
      csp = CSP.make_header(csp_config, UserAgent.parse(name))
      headers[CSP::CONFIG_KEY][name] = csp.freeze
    end
  end
end