nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add secure_header gem to add some security related headers

Browse source 
basic config for Content Security Policies
This commit is contained in:
Benjamin Neff 2016-09-08 02:00:34 +02:00 committed by Dennis Schubert
parent 35aa0badc5
commit 4da1c78bb7
No known key found for this signature in database
GPG key ID: 5A0304BEA7966D7E
4 changed files with 27 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
Gemfile
View file

@ -137,6 +137,10 @@ gem "twitter-text", "1.14.0"
gem "ruby-oembed", "0.10.1" gem "ruby-oembed", "0.10.1"
gem "open_graph_reader", "0.6.1" gem "open_graph_reader", "0.6.1"
# Security Headers
gem "secure_headers", "3.4.1"
# Services # Services
gem "omniauth", "1.3.1" gem "omniauth", "1.3.1"
@ -211,10 +215,6 @@ group :production do # we don"t install these on travis to speed up test runs
gem "rack-google-analytics", "1.2.0" gem "rack-google-analytics", "1.2.0"
gem "rack-piwik", "0.3.0", require: "rack/piwik" gem "rack-piwik", "0.3.0", require: "rack/piwik"
# Click-jacking protection
gem "rack-protection", "1.5.3"
# Process management # Process management
gem "eye", "0.8.1" gem "eye", "0.8.1"

5
Gemfile.lock
View file

@ -780,6 +780,8 @@ GEM
scss_lint (0.49.0) scss_lint (0.49.0)
rake (>= 0.9, < 12) rake (>= 0.9, < 12)
sass (~> 3.4.20) sass (~> 3.4.20)
secure_headers (3.4.1)
useragent
securecompare (1.0.0) securecompare (1.0.0)
shellany (0.0.1) shellany (0.0.1)
shoulda-matchers (3.1.1) shoulda-matchers (3.1.1)
@ -877,6 +879,7 @@ GEM
get_process_mem (~> 0) get_process_mem (~> 0)
unicorn (>= 4, < 6) unicorn (>= 4, < 6)
url_safe_base64 (0.2.2) url_safe_base64 (0.2.2)
useragent (0.16.8)
uuid (2.3.8) uuid (2.3.8)
macaddr (~> 1.0) macaddr (~> 1.0)
valid (1.2.0) valid (1.2.0)
@ -993,7 +996,6 @@ DEPENDENCIES
rack-cors (= 0.4.0) rack-cors (= 0.4.0)
rack-google-analytics (= 1.2.0) rack-google-analytics (= 1.2.0)
rack-piwik (= 0.3.0) rack-piwik (= 0.3.0)
rack-protection (= 1.5.3)
rack-rewrite (= 1.5.1) rack-rewrite (= 1.5.1)
rack-ssl (= 1.4.1) rack-ssl (= 1.4.1)
rails (= 4.2.7.1) rails (= 4.2.7.1)
@ -1026,6 +1028,7 @@ DEPENDENCIES
ruby-oembed (= 0.10.1) ruby-oembed (= 0.10.1)
rubyzip (= 1.2.0) rubyzip (= 1.2.0)
sass-rails (= 5.0.6) sass-rails (= 5.0.6)
secure_headers (= 3.4.1)
shoulda-matchers (= 3.1.1) shoulda-matchers (= 3.1.1)
sidekiq (= 4.1.4) sidekiq (= 4.1.4)
sidekiq-cron (= 0.4.2) sidekiq-cron (= 0.4.2)

1
config.ru
View file

@ -17,6 +17,5 @@ if defined?(Unicorn)
end end
use Rack::Deflater use Rack::Deflater
use Rack::InternetExplorerVersion, minimum: 9 use Rack::InternetExplorerVersion, minimum: 9
use Rack::Protection::FrameOptions
run Diaspora::Application run Diaspora::Application

19
config/initializers/secure_headers.rb Normal file
View file

@ -0,0 +1,19 @@
SecureHeaders::Configuration.default do |config|
config.hsts = SecureHeaders::OPT_OUT # added by Rack::SSL
config.csp = {
default_src: %w('none'),
child_src: %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com
player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
www.instagram.com),
connect_src: %w('self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com),
font_src: %w('self'),
form_action: %w('self' platform.twitter.com syndication.twitter.com),
frame_ancestors: %w('self'),
img_src: %w('self' data: *),
media_src: %w(https:),
script_src: %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
embedr.flickr.com platform.instagram.com),
style_src: %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
}
end