handle the case where only some config options are provided

Author: oreoshake

lib/secure_headers.rb

@@ -51,11 +51,12 @@ def append_features(base)
 
     def header_hash(options = nil)
       ALL_HEADER_CLASSES.inject({}) do |memo, klass|
-        config = if options.is_a?(Hash)
+        config = if options.is_a?(Hash) && options[klass::Constants::CONFIG_KEY]
           options[klass::Constants::CONFIG_KEY]
         else
           ::SecureHeaders::Configuration.send(klass::Constants::CONFIG_KEY)
         end
+
         header = get_a_header(klass::Constants::CONFIG_KEY, klass, config)
         memo[header.name] = header.value
         memo

spec/lib/secure_headers_spec.rb

@@ -160,20 +160,40 @@ def set_security_headers(subject)
   end
 
   describe "SecureHeaders#header_hash" do
+    def expect_default_values(hash)
+      expect(hash[XFO_HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
+      expect(hash[XDO_HEADER_NAME]).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
+      expect(hash[HSTS_HEADER_NAME]).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
+      expect(hash[X_XSS_PROTECTION_HEADER_NAME]).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
+      expect(hash[X_CONTENT_TYPE_OPTIONS_HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
+      expect(hash[XPCDP_HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
+    end
+
     it "produces a hash of headers given a hash as config" do
       hash = SecureHeaders::header_hash(:csp => {:default_src => 'none', :img_src => "data:", :disable_fill_missing => true})
       expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
+      expect_default_values(hash)
+    end
+
+    it "produces a hash with a mix of config values, override values, and default values" do
+      ::SecureHeaders::Configuration.configure do |config|
+        config.hsts = { :max_age => '123456'}
+      end
+
+      hash = SecureHeaders::header_hash(:csp => {:default_src => 'none', :img_src => "data:", :disable_fill_missing => true})
+      ::SecureHeaders::Configuration.configure do |config|
+        config.hsts = nil
+      end
+
+      expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
+      expect(hash[XFO_HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
+      expect(hash[HSTS_HEADER_NAME]).to eq("max-age=123456")
     end
 
     it "produces a hash of headers with default config" do
       hash = SecureHeaders::header_hash
       expect(hash['Content-Security-Policy-Report-Only']).to eq(SecureHeaders::ContentSecurityPolicy::Constants::DEFAULT_CSP_HEADER)
-      expect(hash[XFO_HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-      expect(hash[XDO_HEADER_NAME]).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
-      expect(hash[HSTS_HEADER_NAME]).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-      expect(hash[X_XSS_PROTECTION_HEADER_NAME]).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
-      expect(hash[X_CONTENT_TYPE_OPTIONS_HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-      expect(hash[XPCDP_HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
+      expect_default_values(hash)
     end
   end