Class: Tep::Security::Headers

Inherits:

Filter

• Object
• Filter
• Tep::Security::Headers

Defined in:

lib/tep/security.rb

Overview

Default-secure response headers. Mirrors what rack-protection sets out of the box, minus the parts that need stateful middleware (CSRF token threading is its own feature; tep handlers can opt in with ‘<form><input type= “hidden” name=“_csrf” value=“…”></form>` + a session check on POST routes).

Headers set:

X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
X-XSS-Protection: 0      (modern browsers ignore; "0"
                          is current OWASP guidance over
                          "1; mode=block" which causes
                          reflected XSS injection bugs)

Optional, off by default:

Strict-Transport-Security
  -- enable via `set_hsts(seconds)`. Setting on plain HTTP
     is ineffective; only emit when you've actually got
     TLS termination upstream.

Wiring: register as an ‘after` filter so it runs after the handler can override Content-Type etc.

Instance Attribute Summary

• #hsts_seconds ⇒ Object

  Returns the value of attribute hsts_seconds.

Instance Method Summary

• #after(req, res) ⇒ Object
• #initialize ⇒ Headers constructor

  A new instance of Headers.

• #set_hsts(seconds) ⇒ Object

Methods inherited from Filter

#before

Constructor Details

#initialize ⇒ Headers

Returns a new instance of Headers.

# File 'lib/tep/security.rb', line 112

def initialize
  @hsts_seconds = 0
end

Instance Attribute Details

#hsts_seconds ⇒ Object

Returns the value of attribute hsts_seconds.

# File 'lib/tep/security.rb', line 110

def hsts_seconds
  @hsts_seconds
end

Instance Method Details

#after(req, res) ⇒ Object

# File 'lib/tep/security.rb', line 118

def after(req, res)
  if !res.headers.key?("X-Content-Type-Options")
    res.headers["X-Content-Type-Options"] = "nosniff"
  end
  if !res.headers.key?("X-Frame-Options")
    res.headers["X-Frame-Options"] = "SAMEORIGIN"
  end
  if !res.headers.key?("Referrer-Policy")
    res.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
  end
  if !res.headers.key?("X-XSS-Protection")
    res.headers["X-XSS-Protection"] = "0"
  end
  if @hsts_seconds > 0 && !res.headers.key?("Strict-Transport-Security")
    res.headers["Strict-Transport-Security"] =
      "max-age=" + @hsts_seconds.to_s + "; includeSubDomains"
  end
  0
end

#set_hsts(seconds) ⇒ Object

# File 'lib/tep/security.rb', line 116

def set_hsts(seconds); @hsts_seconds = seconds; end