Lowercase headers

Author: arashnd

CHANGELOG.md

@@ -62,11 +62,11 @@ NOTE: this version is a breaking change due to the removal of HPKP. Remove the H
 
 ## 5.0.2
 
-- Updates `Referrer-Policy` header to support multiple policy values
+- Updates `referrer-policy` header to support multiple policy values
 
 ## 5.0.1
 
-- Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec.
+- Updates `expect-ct` header to use a comma separator between directives, as specified in the most current spec.
 
 ## 5.0.0
 
@@ -90,7 +90,7 @@ Fix support for the sandbox attribute of CSP. `true` and `[]` represent the maxi
 
 ## 3.7.0
 
-Adds support for the `Expect-CT` header (@jacobbednarz: https://github.com/twitter/secureheaders/pull/322)
+Adds support for the `expect-ct` header (@jacobbednarz: https://github.com/twitter/secureheaders/pull/322)
 
 ## 3.6.7
 
@@ -335,7 +335,7 @@ console.log(1)
 ```
 
 ```
-Content-Security-Policy: ...
+content-security-policy: ...
  script-src 'sha256-yktKiAsZWmc8WpOyhnmhQoDf9G2dAZvuBBC+V0LGQhg=' ... ;
  style-src 'sha256-SLp6LO3rrKDJwsG9uJUxZapb4Wp2Zhj6Bu3l+d9rnAY=' 'sha256-HSGHqlRoKmHAGTAJ2Rq0piXX4CnEbOl1ArNd6ejp2TE=' ...;
 ```
@@ -552,15 +552,15 @@ Fixes an issue where view helpers (for nonces, hashes, etc) weren't available in
 
 This release contains support for more csp level 2 features such as the new directives, the script hash integration, and more.
 
-It also sets a new header by default: `X-Permitted-Cross-Domain-Policies`
+It also sets a new header by default: `x-permitted-cross-domain-policies`
 
 Support for hpkp is not included in this release as the implementations are still very unstable.
 
 :rocket:
 
-## v.2.0.0.pre2 - 2014-12-06 01:55:42 UTC - Adds X-Permitted-Cross-Domain-Policies support by default
+## v.2.0.0.pre2 - 2014-12-06 01:55:42 UTC - Adds x-permitted-cross-domain-policies support by default
 
-The only change between this and the first pre release is that the X-Permitted-Cross-Domain-Policies support is included.
+The only change between this and the first pre release is that the x-permitted-cross-domain-policies support is included.
 
 ## v1.4.0 - 2014-12-06 01:54:48 UTC - Deprecate features in preparation for 2.0
 
@@ -572,7 +572,7 @@ This release is intended to be ready for CSP level 2. Mainly, this means there i
 
 ## v1.3.4 - 2014-10-13 22:05:44 UTC -
 
-* Adds X-Download-Options support
+* Adds x-download-options support
 * Adds support for X-XSS-Protection reporting
 * Defers loading of rails engine for faster boot times
 

README.md

@@ -11,11 +11,11 @@ The gem will automatically apply several headers that are related to security.
 - X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options Specification](https://tools.ietf.org/html/rfc7034)
 - X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](https://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
 - X-Content-Type-Options - [Prevent content type sniffing](https://msdn.microsoft.com/library/gg622941\(v=vs.85\).aspx)
-- X-Download-Options - [Prevent file downloads opening](https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx)
-- X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
-- Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
-- Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
-- Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
+- x-download-options - [Prevent file downloads opening](https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx)
+- x-permitted-cross-domain-policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
+- referrer-policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
+- expect-ct - Only use certificates that are present in the certificate transparency logs. [expect-ct draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
+- clear-site-data - Clearing browser data for origin. [clear-site-data specification](https://w3c.github.io/webappsec-clear-site-data/).
 
 It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using `config.cookies = SecureHeaders::OPT_OUT`.
 
@@ -92,19 +92,19 @@ end
 ```
 
 ### Deprecated Configuration Values
-* `block_all_mixed_content` - this value is deprecated in favor of `upgrade_insecure_requests`. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content for more information.
+* `block_all_mixed_content` - this value is deprecated in favor of `upgrade_insecure_requests`. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/content-security-policy/block-all-mixed-content for more information.
 
 ## Default values
 
 All headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:
 
 ```
-Content-Security-Policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'
-Strict-Transport-Security: max-age=631138519
+content-security-policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'
+strict-transport-security: max-age=631138519
 X-Content-Type-Options: nosniff
-X-Download-Options: noopen
+x-download-options: noopen
 X-Frame-Options: sameorigin
-X-Permitted-Cross-Domain-Policies: none
+x-permitted-cross-domain-policies: none
 X-Xss-Protection: 0
 ```
 

docs/hashes.md

@@ -58,7 +58,7 @@ console.log(1)
 ```
 
 ```
-Content-Security-Policy: ...
+content-security-policy: ...
  script-src 'sha256-yktKiAsZWmc8WpOyhnmhQoDf9G2dAZvuBBC+V0LGQhg=' ... ;
  style-src 'sha256-SLp6LO3rrKDJwsG9uJUxZapb4Wp2Zhj6Bu3l+d9rnAY=' 'sha256-HSGHqlRoKmHAGTAJ2Rq0piXX4CnEbOl1ArNd6ejp2TE=' ...;
 ```

docs/per_action_configuration.md

@@ -91,7 +91,7 @@ body {
 
 ```
 
-Content-Security-Policy: ...
+content-security-policy: ...
   script-src 'nonce-/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=' ...;
   style-src 'nonce-/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=' ...;
 ```
@@ -118,13 +118,13 @@ You can clear the browser cache after the logout request by using the following.
 
 ``` ruby
 class ApplicationController < ActionController::Base
-  # Configuration override to send the Clear-Site-Data header.
+  # Configuration override to send the clear-site-data header.
   SecureHeaders::Configuration.override(:clear_browser_cache) do |config|
     config.clear_site_data = SecureHeaders::ClearSiteData::ALL_TYPES
   end
 
 
-  # Clears the browser's cache for browsers supporting the Clear-Site-Data
+  # Clears the browser's cache for browsers supporting the clear-site-data
   # header.
   #
   # Returns nothing.

docs/upgrading-to-4-0.md

@@ -15,7 +15,7 @@ The default CSP has changed to be more universal without sacrificing too much se
 
 Previously, the default CSP was:
 
-`Content-Security-Policy: default-src 'self'`
+`content-security-policy: default-src 'self'`
 
 The new default policy is:
 

lib/secure_headers/configuration.rb

@@ -256,7 +256,7 @@ def csp=(new_csp)
       end
     end
 
-    # Configures the Content-Security-Policy-Report-Only header. `new_csp` cannot
+    # Configures the content-security-policy-report-only header. `new_csp` cannot
     # contain `report_only: false` or an error will be raised.
     #
     # NOTE: if csp has not been configured/has the default value when

lib/secure_headers/headers/clear_site_data.rb

@@ -2,7 +2,7 @@
 module SecureHeaders
   class ClearSiteDataConfigError < StandardError; end
   class ClearSiteData
-    HEADER_NAME = "Clear-Site-Data".freeze
+    HEADER_NAME = "clear-site-data".freeze
 
     # Valid `types`
     CACHE = "cache".freeze
@@ -12,7 +12,7 @@ class ClearSiteData
     ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
 
     class << self
-      # Public: make an Clear-Site-Data header name, value pair
+      # Public: make an clear-site-data header name, value pair
       #
       # Returns nil if not configured, returns header name and value if configured.
       def make_header(config = nil, user_agent = nil)
@@ -39,8 +39,8 @@ def validate_config!(config)
         end
       end
 
-      # Public: Transform a Clear-Site-Data config (an Array of Strings) into a
-      # String that can be used as the value for the Clear-Site-Data header.
+      # Public: Transform a clear-site-data config (an Array of Strings) into a
+      # String that can be used as the value for the clear-site-data header.
       #
       # types - An Array of String of types of data to clear.
       #

lib/secure_headers/headers/content_security_policy.rb

@@ -26,8 +26,8 @@ def initialize(config = nil)
     end
 
     ##
-    # Returns the name to use for the header. Either "Content-Security-Policy" or
-    # "Content-Security-Policy-Report-Only"
+    # Returns the name to use for the header. Either "content-security-policy" or
+    # "content-security-policy-report-only"
     def name
       @config.class.const_get(:HEADER_NAME)
     end

lib/secure_headers/headers/content_security_policy_config.rb

@@ -78,7 +78,7 @@ def write_attribute(attr, value)
 
   class ContentSecurityPolicyConfigError < StandardError; end
   class ContentSecurityPolicyConfig
-    HEADER_NAME = "Content-Security-Policy".freeze
+    HEADER_NAME = "content-security-policy".freeze
 
     ATTRS = Set.new(PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES)
     def self.attrs
@@ -107,7 +107,7 @@ def make_report_only
   end
 
   class ContentSecurityPolicyReportOnlyConfig < ContentSecurityPolicyConfig
-    HEADER_NAME = "Content-Security-Policy-Report-Only".freeze
+    HEADER_NAME = "content-security-policy-report-only".freeze
 
     def report_only?
       true

lib/secure_headers/headers/expect_certificate_transparency.rb

@@ -3,14 +3,14 @@ module SecureHeaders
   class ExpectCertificateTransparencyConfigError < StandardError; end
 
   class ExpectCertificateTransparency
-    HEADER_NAME = "Expect-CT".freeze
+    HEADER_NAME = "expect-ct".freeze
     INVALID_CONFIGURATION_ERROR = "config must be a hash.".freeze
     INVALID_ENFORCE_VALUE_ERROR = "enforce must be a boolean".freeze
     REQUIRED_MAX_AGE_ERROR      = "max-age is a required directive.".freeze
     INVALID_MAX_AGE_ERROR       = "max-age must be a number.".freeze
 
     class << self
-      # Public: Generate a Expect-CT header.
+      # Public: Generate a expect-ct header.
       #
       # Returns nil if not configured, returns header name and value if
       # configured.