class Rack::NonCache::SecurityFilter

Public Class Methods

apply(headers) click to toggle source
# File lib/rack/noncache/filters.rb, line 26
def self.apply(headers)

  # When you type in your bank's website, do you enter mybank.example.com
  # or do you enter https://mybank.example.com? If you omit the https
  # protocol, you are potentially vulnerable to Man in the Middle
  # attacks. Even if the website performs a redirect to
  # https://mybank.example.com a malicious user could intercept the
  # initial HTTP request and manipulate the response (i.e. redirect to
  # https://mibank.example.com and steal their credentials).
  #
  # Many users omit the https protocol and this is why HTTP Strict
  # Transport Security (HSTS) was created. Once mybank.example.com is
  # added as a HSTS host, a browser can know ahead of time that any
  # request to mybank.example.com should be interpreted as
  # https://mybank.example.com. This greatly reduces the possibility of a
  # Man in the Middle attack occurring.

  headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'

  # The problem with content sniffing is that this allowed malicious
  # users to use polyglots (i.e. a file that is valid as multiple content
  # types) to execute XSS attacks. For example, some sites may allow
  # users to submit a valid postscript document to a website and view it.
  # A malicious user might create a postscript document that is also a
  # valid JavaScript file and execute a XSS attack with it.

  headers['X-Content-Type-Options'] = 'nosniff'

  # Some browsers have built in support for filtering out reflected XSS
  # attacks. This is by no means full proof, but does assist in XSS
  # protection.
  # The filtering is typically enabled by default, so adding the header
  # typically just ensures it is enabled and instructs the browser what
  # to do when a XSS attack is detected. For example, the filter might
  # try to change the content in the least invasive way to still render
  # everything. At times, this type of replacement can become a XSS
  # vulnerability in itself. Instead, it is best to block the content
  # rather than attempt to fix it.

  headers['S-Protection'] = '1; mode=block'
end