class SecureHeaders::Configuration
Constants
- DEFAULT_CONFIG
- HASH_CONFIG_FILE
- NOOP_CONFIGURATION
Attributes
Public Class Methods
Public: Set the global default configuration.
Optionally supply a block to override the defaults set by this library.
Returns the newly created config.
# File lib/secure_headers/configuration.rb, line 15 def default(&block) config = new(&block) add_noop_configuration add_configuration(DEFAULT_CONFIG, config) end
Public: retrieve a global configuration object
Returns the configuration with a given name or raises a NotYetConfiguredError if `default` has not been called.
# File lib/secure_headers/configuration.rb, line 42 def get(name = DEFAULT_CONFIG) if @configurations.nil? raise NotYetConfiguredError, "Default policy not yet supplied" end @configurations[name] end
# File lib/secure_headers/configuration.rb, line 54 def named_append(name, target = nil, &block) @appends ||= {} raise "Provide a configuration block" unless block_given? @appends[name] = block end
# File lib/secure_headers/configuration.rb, line 49 def named_appends(name) @appends ||= {} @appends[name] end
# File lib/secure_headers/configuration.rb, line 132 def initialize(&block) self.hpkp = OPT_OUT self.referrer_policy = OPT_OUT self.csp = self.class.send(:deep_copy, CSP::DEFAULT_CONFIG) instance_eval &block if block_given? end
Public: create a named configuration that overrides the default config.
name - use an idenfier for the override config. base - override another existing config, or override the default config if no value is supplied.
Returns: the newly created config
# File lib/secure_headers/configuration.rb, line 29 def override(name, base = DEFAULT_CONFIG, &block) unless get(base) raise NotYetConfiguredError, "#{base} policy not yet supplied" end override = @configurations[base].dup override.instance_eval &block if block_given? add_configuration(name, override) end
Private Class Methods
Private: add a valid configuration to the global set of named configs.
config - the config to store name - the lookup value for this config
Raises errors if the config is invalid or if a config named `name` already exists.
Returns the config, if valid
# File lib/secure_headers/configuration.rb, line 71 def add_configuration(name, config) config.validate_config! @configurations ||= {} config.send(:cache_headers!) config.send(:cache_hpkp_report_host) config.freeze @configurations[name] = config end
Private: Automatically add an “opt-out of everything” override.
Returns the noop config
# File lib/secure_headers/configuration.rb, line 83 def add_noop_configuration noop_config = new do |config| ALL_HEADER_CLASSES.each do |klass| config.send("#{klass::CONFIG_KEY}=", OPT_OUT) end config.dynamic_csp = OPT_OUT end add_configuration(NOOP_CONFIGURATION, noop_config) end
Public: perform a basic deep dup. The shallow copy provided by dup/clone can lead to modifying parent objects.
# File lib/secure_headers/configuration.rb, line 96 def deep_copy(config) config.each_with_object({}) do |(key, value), hash| hash[key] = if value.is_a?(Array) value.dup else value end end end
Private: convenience method purely DRY things up. The value may not be a hash (e.g. OPT_OUT, nil)
# File lib/secure_headers/configuration.rb, line 108 def deep_copy_if_hash(value) if value.is_a?(Hash) deep_copy(value) else value end end
Public Instance Methods
# File lib/secure_headers/configuration.rb, line 183 def current_csp @dynamic_csp || @csp end
Public: copy everything but the cached headers
Returns a deep-dup'd copy of this configuration.
# File lib/secure_headers/configuration.rb, line 142 def dup copy = self.class.new copy.cookies = @cookies copy.csp = self.class.send(:deep_copy_if_hash, @csp) copy.dynamic_csp = self.class.send(:deep_copy_if_hash, @dynamic_csp) copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers) copy.x_content_type_options = @x_content_type_options copy.hsts = @hsts copy.x_frame_options = @x_frame_options copy.x_xss_protection = @x_xss_protection copy.x_download_options = @x_download_options copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies copy.referrer_policy = @referrer_policy copy.hpkp = @hpkp copy.hpkp_report_host = @hpkp_report_host copy end
# File lib/secure_headers/configuration.rb, line 160 def opt_out(header) send("#{header}=", OPT_OUT) if header == CSP::CONFIG_KEY dynamic_csp = OPT_OUT end self.cached_headers.delete(header) end
Public: generated cached headers for a specific user agent.
# File lib/secure_headers/configuration.rb, line 174 def rebuild_csp_header_cache!(user_agent) self.cached_headers[CSP::CONFIG_KEY] = {} unless current_csp == OPT_OUT user_agent = UserAgent.parse(user_agent) variation = CSP.ua_to_variation(user_agent) self.cached_headers[CSP::CONFIG_KEY][variation] = CSP.make_header(current_csp, user_agent) end end
# File lib/secure_headers/configuration.rb, line 168 def update_x_frame_options(value) @x_frame_options = value self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value) end
Public: validates all configurations values.
Raises various configuration errors if any invalid config is detected.
Returns nothing
# File lib/secure_headers/configuration.rb, line 192 def validate_config! StrictTransportSecurity.validate_config!(@hsts) ContentSecurityPolicy.validate_config!(@csp) ReferrerPolicy.validate_config!(@referrer_policy) XFrameOptions.validate_config!(@x_frame_options) XContentTypeOptions.validate_config!(@x_content_type_options) XXssProtection.validate_config!(@x_xss_protection) XDownloadOptions.validate_config!(@x_download_options) XPermittedCrossDomainPolicies.validate_config!(@x_permitted_cross_domain_policies) PublicKeyPins.validate_config!(@hpkp) Cookie.validate_config!(@cookies) end
Protected Instance Methods
# File lib/secure_headers/configuration.rb, line 224 def cached_headers=(headers) @cached_headers = headers end
# File lib/secure_headers/configuration.rb, line 212 def csp=(new_csp) if self.dynamic_csp raise IllegalPolicyModificationError, "You are attempting to modify CSP settings directly. Use dynamic_csp= instead." end @csp = self.class.send(:deep_copy_if_hash, new_csp) end
# File lib/secure_headers/configuration.rb, line 228 def hpkp=(hpkp) @hpkp = self.class.send(:deep_copy_if_hash, hpkp) end
# File lib/secure_headers/configuration.rb, line 232 def hpkp_report_host=(hpkp_report_host) @hpkp_report_host = hpkp_report_host end
Private Instance Methods
Public: Precompute the header names and values for this configuraiton. Ensures that headers generated at configure time, not on demand.
Returns the cached headers
# File lib/secure_headers/configuration.rb, line 250 def cache_headers! # generate defaults for the "easy" headers headers = (ALL_HEADERS_BESIDES_CSP).each_with_object({}) do |klass, hash| config = instance_variable_get("@#{klass::CONFIG_KEY}") unless config == OPT_OUT hash[klass::CONFIG_KEY] = klass.make_header(config).freeze end end generate_csp_headers(headers) headers.freeze self.cached_headers = headers end
# File lib/secure_headers/configuration.rb, line 238 def cache_hpkp_report_host has_report_uri = @hpkp && @hpkp != OPT_OUT && @hpkp[:report_uri] self.hpkp_report_host = if has_report_uri parsed_report_uri = URI.parse(@hpkp[:report_uri]) parsed_report_uri.host end end
Private: adds CSP headers for each variation of CSP support.
headers - generated headers are added to this hash namespaced by The
different variations
Returns nothing
# File lib/secure_headers/configuration.rb, line 271 def generate_csp_headers(headers) unless @csp == OPT_OUT headers[CSP::CONFIG_KEY] = {} csp_config = self.current_csp CSP::VARIATIONS.each do |name, _| csp = CSP.make_header(csp_config, UserAgent.parse(name)) headers[CSP::CONFIG_KEY][name] = csp.freeze end end end