|
2 | 2 |
|
3 | 3 | **master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now. |
4 | 4 |
|
5 | | -**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch. |
6 | | - |
7 | | -**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things. |
8 | | - |
9 | 5 | The gem will automatically apply several headers that are related to security. This includes: |
10 | 6 | - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](http://www.w3.org/TR/CSP2/) |
11 | 7 | - https://csp.withgoogle.com |
@@ -33,20 +29,6 @@ It can also mark all http cookies with the Secure, HttpOnly and SameSite attribu |
33 | 29 | - [Hashes](docs/hashes.md) |
34 | 30 | - [Sinatra Config](docs/sinatra.md) |
35 | 31 |
|
36 | | -## Getting Started |
37 | | - |
38 | | -### Rails 3+ |
39 | | - |
40 | | -For Rails 3+ applications, `secure_headers` has a `railtie` that should automatically include the middleware. If for some reason the middleware is not being included follow the instructions for Rails 2. |
41 | | - |
42 | | -### Rails 2 |
43 | | - |
44 | | -For Rails 2 or non-rails applications, an explicit statement is required to use the middleware component. |
45 | | - |
46 | | -```ruby |
47 | | -use SecureHeaders::Middleware |
48 | | -``` |
49 | | - |
50 | 32 | ## Configuration |
51 | 33 |
|
52 | 34 | If you do not supply a `default` configuration, exceptions will be raised. If you would like to use a default configuration (which is fairly locked down), just call `SecureHeaders::Configuration.default` without any arguments or block. |
@@ -119,6 +101,23 @@ X-Permitted-Cross-Domain-Policies: none |
119 | 101 | X-Xss-Protection: 1; mode=block |
120 | 102 | ``` |
121 | 103 |
|
| 104 | +## API configurations |
| 105 | + |
| 106 | +Which headers you decide to use for API responses is entirely a personal choice. Things like X-Frame-Options seem to have no place in an API response and would be wasting bytes. While this is true, browsers can do funky things with non-html responses. At the minimum, we suggest CSP: |
| 107 | + |
| 108 | +```ruby |
| 109 | +SecureHeaders::Configuration.override(:api) do |config| |
| 110 | + config.csp = { default_src: 'none' } |
| 111 | + config.hsts = SecureHeaders::OPT_OUT |
| 112 | + config.x_frame_options = SecureHeaders::OPT_OUT |
| 113 | + config.x_content_type_options = SecureHeaders::OPT_OUT |
| 114 | + config.x_xss_protection = SecureHeaders::OPT_OUT |
| 115 | + config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT |
| 116 | +end |
| 117 | +``` |
| 118 | + |
| 119 | +However, I would consider these headers anyways depending on your load and bandwidth requirements. |
| 120 | + |
122 | 121 | ## Similar libraries |
123 | 122 |
|
124 | 123 | * Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers) |
|
0 commit comments