Wiki

Clone wiki

ICT development team standards / SecureHeaders_gem

Nick recommends the use of the SecureHeaders gem (https://github.com/twitter/secureheaders) for our ruby projects. We have set it up for the provisioning tool to address a pen testing issue. It does CSP, HSTS, Referrer-Policy, cookies, etc). Here’s an example from rds-provisioning-tool/config/application.rb:

SecureHeaders::Configuration.default do |config|
      config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
      config.csp = {
        default_src: %w('self'),
        font_src: %w('self' data:),
        img_src: %w('self' data:),
        object_src: %w('none'),
        script_src: %w('self'),
        style_src: %w('self')
      }
    end

Refs:

Updated