Skip to content

Commit bb9ebc6

Browse files
oreoshakeoreoshake
committed
Document per controll/action config options
1 parent 9c8ccc5 commit bb9ebc6

File tree

1 file changed

+34
-1
lines changed

1 file changed

+34
-1
lines changed

README.md

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ The following methods are going to be called, unless they are provided in a `ski
3333

3434
**Place the following in an initializer (recommended):**
3535

36+
**NOTE: All CSP config values accept procs for one way of dynamically setting values**
37+
3638
```ruby
3739
::SecureHeaders::Configuration.configure do |config|
3840
config.hsts = {:max_age => 20.years.to_i, :include_subdomains => true}
@@ -43,7 +45,7 @@ The following methods are going to be called, unless they are provided in a `ski
4345
config.x_permitted_cross_domain_policies = 'none'
4446
config.csp = {
4547
:default_src => "https: 'self'",
46-
:enforce => proc {|controller| controller.current_user.enforce_csp? },
48+
:enforce => proc {|controller| controller.my_feature_flag_api.enabled? },
4749
:frame_src => "https: http:.twimg.com http://itunes.apple.com",
4850
:img_src => "https:",
4951
:connect_src => "wws:"
@@ -88,6 +90,37 @@ ensure_security_headers(
8890
)
8991
```
9092

93+
## Per-action configuration
94+
95+
Sometimes you need to override your content security policy for a given endpoint. Rather than applying the exception globally, you have a few options:
96+
97+
1. Use procs as config values as mentioned above.
98+
1. Specifying `ensure_security_headers csp: ::SecureHeaders::Configuration.csp.merge(script_src: shadyhost.com)` in a descendent controller will override the settings for that controller only.
99+
1. Override the `secure_header_options_for` class instance method. e.g.
100+
101+
```ruby
102+
class SomethingController < ApplicationController
103+
def wumbus
104+
# gets style-src override
105+
end
106+
107+
def diffendoofer
108+
# does not get style-src override
109+
end
110+
111+
def secure_header_options_for(header, options)
112+
options = super
113+
if params[:action] == "wumbus"
114+
if header == :csp
115+
options.merge(style_src: "'self'")
116+
end
117+
else
118+
options
119+
end
120+
end
121+
end
122+
```
123+
91124
## Options for ensure\_security\_headers
92125

93126
**To disable any of these headers, supply a value of false (e.g. :hsts => false), supplying nil will set the default value**

0 commit comments

Comments
 (0)