Description
Rack::ContentSecurityPolicy is a Rack middleware that makes it easy for your Rack based application (Sinatra, Rails) to serve Content Security Policy headers for HTML pages.
This middleware was inspired by the p0deje/content-security-policy middleware and borrows quite a bit of code from that gem. This gem also makes extensive use of the contracts gem to enforce strict type checking and validation on all inputs and outputs. It is designed to fail-fast on errors.
It provides full support for Content Security Policy Level 1/2/3 directives.
Rack::ContentSecurityPolicy alternatives and similar gems
Based on the "Security" category.
Alternatively, view Rack::ContentSecurityPolicy alternatives based on common mentions on social networks and blogs.
-
-
-
Brakeman
A static analysis security vulnerability scanner for Ruby on Rails applications -
Gitrob
Reconnaissance tool for GitHub organizations -
Rack::Attack
Rack middleware for blocking & throttling -
SecureHeaders
Manages application of security headers with many safe defaults -
bundler-audit
Patch-level verification for Bundler -
Bearer
Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks. -
RbNaCl
Ruby FFI binding to the Networking and Cryptography (NaCl) library (a.k.a. libsodium) -
Hashids
A small Ruby gem to generate YouTube-like hashes from one or many numbers. Use hashids when you do not want to expose your database ids to the user. -
Rack::Protection
NOTE: This project has been merged upstream to sinatra/sinatra -
Ronin
Ronin is a Free and Open Source Ruby Toolkit for Security Research and Development. Ronin also allows for the rapid development and distribution of code, exploits, payloads, etc, via 3rd party git repositories. -
Rack::UTF8Sanitizer
Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters in request URI and headers. -
ActiveHashcash
Protect Rails applications against bots and brute force attacks without annoying humans. -
Clamby
ClamAV interface to your Ruby on Rails project. -
ronin-exploits
A Ruby micro-framework for writing and running exploits -
ronin-vulns
Tests URLs for Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL injection (SQLi), and Cross Site Scripting (XSS), Server Side Template Injection (SSTI), and Open Redirects. -
SiRP
Secure (interoperable) Remote Password Auth (SRP-6a) -
TSS - Threshold Secret Sharing
A Ruby implementation of Threshold Secret Sharing (Shamir) as defined in IETF Internet-Draft draft-mcgrew-tss-03.txt -
Active Entry
A flexible access control system for your Rails app -
Rack::JsonWebTokenAuth
Rack middleware for authentication using JSON Web Tokens (JWT) -
sessionKeys
A tool for the deterministic generation of unique user IDs, and NaCl cryptographic keys from a single username and high entropy passphrase.
InfluxDB - Power Real-Time Data Analytics at Scale
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of Rack::ContentSecurityPolicy or a related project?
|
WorkOS - The modern identity platform for B2B SaaS
sponsored
workos.com
|
Popular Comparisons
-
Rack::ContentSecurityPolicyvsSecureHeaders
-
Rack::ContentSecurityPolicyvsBrakeman
-
Rack::ContentSecurityPolicyvsMetasploit
-
Rack::ContentSecurityPolicyvsClamby
-
Rack::ContentSecurityPolicyvsRack::JsonWebTokenAuth
|
SaaSHub - Software Alternatives and Reviews
sponsored
www.saashub.com
|
README
Rack::ContentSecurityPolicy
About
Rack::ContentSecurityPolicy is a Rack middleware that makes it easy for your
Rack based application (Sinatra, Rails) to serve an Content-Security-Policy or
Content-Security-Policy-Report-Only header.
This middleware was inspired by the p0deje/content-security-policy middleware and borrows quite a bit of code from that gem. This gem also makes extensive use of the contracts gem to enforce strict type checking and validation on all inputs and outputs. It is designed to fail-fast on errors.
It provides full support for Content Security Policy Level 1/2/3 directives.
Installation
Add this line to your application's Gemfile:
gem 'rack-content_security_policy', '~> 0.1'
And then execute:
$ bundle install
Or install it directly with:
$ gem install rack-content_security_policy
Usage
This middleware can be configured with a block or a hash of config options. It accepts two primary configuration options:
report_only: booleantrueorfalse. Returns aContent-Security-Policy-Report-Onlyheader instead ofContent-Security-Policywhentrue. Defaults to true.directives: A collection of valid CSP directives provided as key/value pairs. The key must be a lowercase String and must be comprised of the characters [a-z] and the-. The value must also be a String but is not limited to remain flexible as the CSP standards evolve. You can use conditional statements within the configuration block to set values dynamically at startup time. Defaults to an empty config that you must configure. An empty config will raise an exception.
Note that certain CSP directives, such as upgrade-insecure-requests, do not
take any arguments. For those, just set the value to true.
Learn more about the Content Security Policy at the following sites:
- W3C CSP Level 1 (deprecated) : https://www.w3.org/TR/CSP1/
- W3C CSP Level 2 (current) : https://www.w3.org/TR/CSP2/
- W3C CSP Level 3 (draft) : https://www.w3.org/TR/CSP3/
- https://developer.mozilla.org/en-US/docs/Web/Security/CSP
- http://caniuse.com/#search=ContentSecurityPolicy
- http://content-security-policy.com/
- https://securityheaders.io
- https://scotthelme.co.uk/csp-cheat-sheet/
- http://www.html5rocks.com/en/tutorials/security/content-security-policy/
- https://hacks.mozilla.org/2016/02/implementing-content-security-policy/
Block Configuration Example
require 'rack/content_security_policy'
Rack::ContentSecurityPolicy.configure do |d|
d.report_only = false
d['default-src'] = "'none'"
d['script-src'] = "'self'"
d['upgrade-insecure-requests'] = true
end
use Rack::ContentSecurityPolicy
Hash Configuration Example
require 'rack/content_security_policy'
use Rack::ContentSecurityPolicy, report_only: true, directives: { 'default-src' => "'self'" }
Development
After checking out the repo, run bundle install to install dependencies. Then,
run bundle exec rake to run the specs.
To install this gem onto your local machine, run bundle exec rake install.
Installation Security : Signed Ruby Gem
This gem is cryptographically signed. To be sure the gem you install hasn’t been tampered with you can install it using the following method:
Add my public key (if you haven’t already) as a trusted certificate
# Caveat: Gem certificates are trusted globally, such that adding a
# cert.pem for one gem automatically trusts all gems signed by that cert.
gem cert --add <(curl -Ls https://raw.github.com/grempe/rack-content_security_policy/master/certs/gem-public_cert_grempe_2026.pem)
To install, it is possible to specify either HighSecurity or MediumSecurity
mode. Since this gem depends on one or more gems that are not cryptographically
signed you will likely need to use MediumSecurity. You should receive a warning
if any signed gem does not match its signature.
# All signed dependent gems must be verified.
gem install rack-content_security_policy -P MediumSecurity
You can learn more about security and signed Ruby Gems.
Installation Security : Signed Git Commits
Most, if not all, of the commits and tags to this repository are
signed with my PGP/GPG code signing key. I have uploaded my code signing public
keys to GitHub and you can now verify those signatures with the GitHub UI.
See this list of commits
and look for the Verified tag next to each commit. You can click on that tag
for additional information.
You can also clone the repository and verify the signatures locally using your own GnuPG installation. You can find my certificates and read about how to conduct this verification at https://www.rempe.us/keys/.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/grempe/rack-content_security_policy. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
Legal
Copyright
Copyright (c) 2016 Glenn Rempe <[email protected]> (https://www.rempe.us/)
Some portions Copyright (c) 2009-2012 Alexey Rodionov
License
The gem is available as open source under the terms of the MIT License.
Warranty
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the LICENSE.txt file for the specific language governing permissions and limitations under the License.
Thank You!
Thanks to Alexey Rodionov (@p0deje) for his well written original implementation of CSP.
*Note that all licence references and agreements mentioned in the Rack::ContentSecurityPolicy README section above
are relevant to that project's source code only.