documentation around behavior

Author: oreoshake

README.md

@@ -415,6 +415,35 @@ def before_load
 end
 ```
 
+### Using in rack middleware
+
+The `SecureHeaders::header_hash` generates a hash of all header values, which is useful for merging with rack middleware values.
+
+```ruby
+class MySecureHeaders
+  include SecureHeaders
+  def initialize(app)
+  @app = app
+ end
+
+ def call(env)
+   status, headers, response = @app.call(env)
+   security_headers = if override?
+     SecureHeaders::header_hash(:csp => false) # uses global config, but overrides CSP config
+   else
+     SecureHeaders::header_hash # uses global config
+   end
+   [status, headers.merge(security_headers), [response.body]]
+ end
+end
+
+module Testapp
+  class Application < Rails::Application
+    config.middleware.use MySecureHeaders
+  end
+end
+```
+
 ## Similar libraries
 
 * Rack [rack-secure_headers](https://github.com/harmoni/rack-secure_headers)

lib/secure_headers.rb

@@ -19,6 +19,7 @@ module SecureHeaders
   ALL_HEADER_CLASSES = [
     SecureHeaders::ContentSecurityPolicy,
     SecureHeaders::StrictTransportSecurity,
+    SecureHeaders::PublicKeyPins,
     SecureHeaders::XContentTypeOptions,
     SecureHeaders::XDownloadOptions,
     SecureHeaders::XFrameOptions,
@@ -57,8 +58,10 @@ def header_hash(options = nil)
           ::SecureHeaders::Configuration.send(klass::Constants::CONFIG_KEY)
         end
 
-        header = get_a_header(klass::Constants::CONFIG_KEY, klass, config)
-        memo[header.name] = header.value
+        unless klass == SecureHeaders::PublicKeyPins && !config.is_a?(Hash)
+          header = get_a_header(klass::Constants::CONFIG_KEY, klass, config)
+          memo[header.name] = header.value
+        end
         memo
       end
     end