Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update secure headers #1341

Closed
wants to merge 2 commits into from
Closed

Update secure headers #1341

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1dbabf2
update secure headers
colinxfleming Jan 2, 2018
f872dbc
merge conflix
colinxfleming Jan 2, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ gem 'rack-attack', '~> 5.0.1'
gem 'rack-test', '~> 0.6.3', require: 'rack/test'
gem 'clinic_finder', '~> 0.0.1'
gem 'geokit'
gem 'secure_headers', '~> 3.6', '>= 3.6.4'
gem 'secure_headers', '~> 5'

group :development do
gem 'pry'
Expand Down
78 changes: 40 additions & 38 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,8 @@ GEM
i18n (~> 0.7)
minitest (~> 5.1)
tzinfo (~> 1.1)
addressable (2.5.2)
public_suffix (>= 2.0.2, < 4.0)
addressable (2.5.1)
public_suffix (~> 2.0, >= 2.0.2)
afm (0.2.2)
arel (8.0.0)
ast (2.3.0)
Expand All @@ -61,32 +61,32 @@ GEM
bootstrap_form (2.7.0)
bootstrap_form-datetimepicker (0.0.1)
bootstrap_form
brakeman (4.1.1)
brakeman (3.7.0)
bson (4.2.2)
bson_ext (1.5.1)
builder (3.2.3)
bundler-audit (0.6.0)
bundler-audit (0.5.0)
bundler (~> 1.2)
thor (~> 0.18)
byebug (9.1.0)
capybara (2.16.1)
byebug (9.0.6)
capybara (2.15.0)
addressable
mini_mime (>= 0.1.3)
nokogiri (>= 1.3.3)
rack (>= 1.0.0)
rack-test (>= 0.5.4)
xpath (~> 2.0)
capybara-screenshot (1.0.18)
capybara-screenshot (1.0.17)
capybara (>= 1.0, < 3)
launchy
childprocess (0.8.0)
childprocess (0.7.1)
ffi (~> 1.0, >= 1.0.11)
clinic_finder (0.0.1)
codecov (0.1.10)
json
simplecov
url
coderay (1.1.2)
coderay (1.1.1)
coffee-rails (4.2.2)
coffee-script (>= 2.2.0)
railties (>= 4.0.0)
Expand All @@ -95,7 +95,7 @@ GEM
execjs
coffee-script-source (1.12.2)
concurrent-ruby (1.0.5)
database_cleaner (1.6.2)
database_cleaner (1.6.1)
devise (4.3.0)
bcrypt (~> 3.0)
orm_adapter (~> 0.1)
Expand All @@ -113,8 +113,8 @@ GEM
factory_bot_rails (4.8.2)
factory_bot (~> 4.8.2)
railties (>= 3.0.0)
faker (1.8.7)
i18n (>= 0.7)
faker (1.8.4)
i18n (~> 0.5)
faraday (0.12.2)
multipart-post (>= 1.2, < 3)
ffi (1.9.18)
Expand All @@ -130,8 +130,7 @@ GEM
request_store (>= 1.0)
hashery (2.1.2)
hashie (3.5.6)
i18n (0.9.1)
concurrent-ruby (~> 1.0)
i18n (0.8.6)
jbuilder (2.7.0)
activesupport (>= 4.2.0)
multi_json (>= 1.2)
Expand All @@ -146,7 +145,7 @@ GEM
sprockets-rails
json (1.8.6)
jwt (1.5.6)
knapsack (1.15.0)
knapsack (1.14.0)
rake
launchy (2.4.3)
addressable (~> 2.3)
Expand All @@ -159,16 +158,16 @@ GEM
nokogiri (>= 1.5.9)
mail (2.6.6)
mime-types (>= 1.16, < 4)
method_source (0.9.0)
method_source (0.8.2)
mime-types (3.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
mini_backtrace (0.1.3)
minitest (> 1.2.0)
rails (>= 2.3.3)
mini_mime (1.0.0)
mini_mime (0.1.3)
mini_portile2 (2.3.0)
minitest (5.11.0)
minitest (5.10.3)
minitest-spec-rails (5.4.0)
minitest (~> 5.0)
rails (>= 4.1)
Expand Down Expand Up @@ -211,9 +210,9 @@ GEM
oauth2 (~> 1.0)
omniauth (~> 1.2)
orm_adapter (0.5.0)
parallel (1.12.1)
parser (2.4.0.2)
ast (~> 2.3)
parallel (1.12.0)
parser (2.4.0.0)
ast (~> 2.2)
pdf-core (0.7.0)
pdf-inspector (1.3.0)
pdf-reader (>= 1.0, < 3.0.a)
Expand All @@ -227,10 +226,11 @@ GEM
prawn (2.2.2)
pdf-core (~> 0.7.0)
ttfunk (~> 1.5)
pry (0.11.3)
pry (0.10.4)
coderay (~> 1.1.0)
method_source (~> 0.9.0)
public_suffix (3.0.1)
method_source (~> 0.8.1)
slop (~> 3.4)
public_suffix (2.0.5)
puma (3.9.1)
rack (2.0.3)
rack-attack (5.0.1)
Expand Down Expand Up @@ -260,8 +260,9 @@ GEM
method_source
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rainbow (3.0.0)
rake (12.3.0)
rainbow (2.2.2)
rake
rake (12.0.0)
rb-fsevent (0.10.2)
rb-inotify (0.9.10)
ffi (>= 0.5.0, < 2)
Expand All @@ -273,17 +274,17 @@ GEM
responders (2.4.0)
actionpack (>= 4.2.0, < 5.3)
railties (>= 4.2.0, < 5.3)
rubocop (0.52.1)
rubocop (0.49.1)
parallel (~> 1.10)
parser (>= 2.4.0.2, < 3.0)
parser (>= 2.3.3.1, < 3.0)
powerpack (~> 0.1)
rainbow (>= 2.2.2, < 4.0)
rainbow (>= 1.99.1, < 3.0)
ruby-progressbar (~> 1.7)
unicode-display_width (~> 1.0, >= 1.0.1)
ruby-progressbar (1.9.0)
ruby-progressbar (1.8.1)
ruby-rc4 (0.1.5)
ruby_audit (1.2.0)
bundler-audit (~> 0.6.0)
ruby_audit (1.1.0)
bundler-audit (~> 0.5.0)
ruby_dep (1.5.0)
rubyzip (1.2.1)
sass (3.5.1)
Expand All @@ -300,19 +301,20 @@ GEM
sdoc (0.4.2)
json (~> 1.7, >= 1.7.7)
rdoc (~> 4.0)
secure_headers (3.6.7)
useragent
selenium-webdriver (3.8.0)
secure_headers (5.0.4)
useragent (>= 0.15.0)
selenium-webdriver (3.5.0)
childprocess (~> 0.5)
rubyzip (~> 1.0)
shoulda-context (1.2.2)
simplecov (0.15.1)
simplecov (0.14.1)
docile (~> 1.1.0)
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
simplecov-html (0.10.2)
simplecov-html (0.10.1)
skylight (1.3.1)
activesupport (>= 3.0.0)
slop (3.6.0)
spring (2.0.2)
activesupport (>= 4.2)
sprockets (3.7.1)
Expand Down Expand Up @@ -406,7 +408,7 @@ DEPENDENCIES
ruby_audit
sass-rails (~> 5.0)
sdoc (~> 0.4.0)
secure_headers (~> 3.6, >= 3.6.4)
secure_headers (~> 5)
selenium-webdriver
shoulda-context
simplecov
Expand Down
4 changes: 2 additions & 2 deletions config/initializers/csp.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
config.csp = {
preserve_schemes: true, # default: false.
default_src: %w('self'),
script_src: ["'self'", "'unsafe-eval'", gon_gem_sha, popover_sha],
script_src: ["'self'", "'unsafe-eval'", gon_gem_sha, popover_sha, 'https'],
font_src: %w('self' fonts.gstatic.com),
connect_src: %w('self'),
style_src: %w('self' 'unsafe-inline'),
style_src: %w('self' 'unsafe-inline' https),
report_uri: ["https://#{ENV['CSP_VIOLATION_URI']}/csp/reportOnly"]
}
end