Package gem-secure-headers: Information

main branch represents 6.x line. See the upgrading to 4.x doc, upgrading to 5.x
doc, or upgrading to 6.x doc for instructions on how to upgrade. Bug fixes
should go in the 5.x branch for now.

The gem will automatically apply several headers that are related to security.
This includes:

* Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and
  other classes of attack. CSP 2 Specification
 * https://csp.withgoogle.com
 * https://csp.withgoogle.com/docs/strict-csp.html
 * https://csp-evaluator.withgoogle.com
* HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the
  http version of a website. Protects from SSLStrip/Firesheep attacks. HSTS
  Specification
* X-Frame-Options (XFO) - Prevents your content from being framed and
  potentially clickjacked. X-Frame-Options Specification
* X-XSS-Protection - Cross site scripting heuristic filter for IE/Chrome
* X-Content-Type-Options - Prevent content type sniffing
* X-Download-Options - Prevent file downloads opening
* X-Permitted-Cross-Domain-Policies - Restrict Adobe Flash Player's access to
  data
* Referrer-Policy - Referrer Policy draft
* Expect-CT - Only use certificates that are present in the certificate
  transparency logs. Expect-CT draft specification.
* Clear-Site-Data - Clearing browser data for origin. Clear-Site-Data
  specification.

It can also mark all http cookies with the Secure, HttpOnly and SameSite
attributes. This is on default but can be turned off by using
'config.cookies = SecureHeaders::OPT_OUT'.

secure_headers is a library with a global config, per request overrides, and
rack middleware that enables you customize your application settings.

Package gem-secure-headers: Information

Last changed