Class: Tina4::SecurityHeadersMiddleware

Inherits:
Object
  • Object
show all
Defined in:
lib/tina4/middleware.rb

Overview

SecurityHeadersMiddleware – injects security headers on every response. Config via env:

TINA4_FRAME_OPTIONS       — X-Frame-Options (default: SAMEORIGIN)
TINA4_HSTS                — Strict-Transport-Security max-age (default: "" = off)
TINA4_CSP                 — Content-Security-Policy (default: "default-src 'self'")
TINA4_REFERRER_POLICY     — Referrer-Policy (default: strict-origin-when-cross-origin)
TINA4_PERMISSIONS_POLICY  — Permissions-Policy (default: camera=(), microphone=(), geolocation=())

Class Method Summary collapse

Class Method Details

.before_security(request, response) ⇒ Object 



427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
 
# File 'lib/tina4/middleware.rb', line 427

def before_security(request, response)
  response.headers["X-Frame-Options"] = ENV["TINA4_FRAME_OPTIONS"] || "SAMEORIGIN"
  response.headers["X-Content-Type-Options"] = "nosniff"

  hsts = ENV["TINA4_HSTS"] || ""
  unless hsts.empty?
    response.headers["Strict-Transport-Security"] = "max-age=#{hsts}; includeSubDomains"
  end

  response.headers["Content-Security-Policy"] = ENV["TINA4_CSP"] || "default-src 'self'"
  response.headers["Referrer-Policy"] = ENV["TINA4_REFERRER_POLICY"] || "strict-origin-when-cross-origin"
  response.headers["X-XSS-Protection"] = "0"
  response.headers["Permissions-Policy"] = ENV["TINA4_PERMISSIONS_POLICY"] || "camera=(), microphone=(), geolocation=()"

  [request, response]
end