Unverified Commit 4da1c78b authored by Benjamin Neff's avatar Benjamin Neff Committed by Dennis Schubert

Add secure_header gem to add some security related headers

basic config for Content Security Policies
parent 35aa0bad
......@@ -137,6 +137,10 @@ gem "twitter-text", "1.14.0"
gem "ruby-oembed", "0.10.1"
gem "open_graph_reader", "0.6.1"
# Security Headers
gem "secure_headers", "3.4.1"
# Services
gem "omniauth", "1.3.1"
......@@ -211,10 +215,6 @@ group :production do # we don"t install these on travis to speed up test runs
gem "rack-google-analytics", "1.2.0"
gem "rack-piwik", "0.3.0", require: "rack/piwik"
# Click-jacking protection
gem "rack-protection", "1.5.3"
# Process management
gem "eye", "0.8.1"
......
......@@ -780,6 +780,8 @@ GEM
scss_lint (0.49.0)
rake (>= 0.9, < 12)
sass (~> 3.4.20)
secure_headers (3.4.1)
useragent
securecompare (1.0.0)
shellany (0.0.1)
shoulda-matchers (3.1.1)
......@@ -877,6 +879,7 @@ GEM
get_process_mem (~> 0)
unicorn (>= 4, < 6)
url_safe_base64 (0.2.2)
useragent (0.16.8)
uuid (2.3.8)
macaddr (~> 1.0)
valid (1.2.0)
......@@ -993,7 +996,6 @@ DEPENDENCIES
rack-cors (= 0.4.0)
rack-google-analytics (= 1.2.0)
rack-piwik (= 0.3.0)
rack-protection (= 1.5.3)
rack-rewrite (= 1.5.1)
rack-ssl (= 1.4.1)
rails (= 4.2.7.1)
......@@ -1026,6 +1028,7 @@ DEPENDENCIES
ruby-oembed (= 0.10.1)
rubyzip (= 1.2.0)
sass-rails (= 5.0.6)
secure_headers (= 3.4.1)
shoulda-matchers (= 3.1.1)
sidekiq (= 4.1.4)
sidekiq-cron (= 0.4.2)
......
......@@ -17,6 +17,5 @@ if defined?(Unicorn)
end
use Rack::Deflater
use Rack::InternetExplorerVersion, minimum: 9
use Rack::Protection::FrameOptions
run Diaspora::Application
SecureHeaders::Configuration.default do |config|
config.hsts = SecureHeaders::OPT_OUT # added by Rack::SSL
config.csp = {
default_src: %w('none'),
child_src: %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com
player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
www.instagram.com),
connect_src: %w('self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com),
font_src: %w('self'),
form_action: %w('self' platform.twitter.com syndication.twitter.com),
frame_ancestors: %w('self'),
img_src: %w('self' data: *),
media_src: %w(https:),
script_src: %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
embedr.flickr.com platform.instagram.com),
style_src: %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
}
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment