Open h0jeZvgoxFepBQ2C opened 3 years ago
Hello @h0jeZvgoxFepBQ2C, I can't recall if there's a shorthand way for doing this but you can set each config.<header_name> = SecureHeaders::OPT_OUT
to avoid the default behavior. Alternatively, and probably a worse idea would be to do it per request with SecureHeaders.opt_out_of_all_protection(request)
in some before_action
.
I agree that would be a cool addition. I doubly like that you ended your proposed api with a !
π₯
Thanks @oreoshake ,
I did something like this now:
if ENV["DISABLE_SECURE_HEADERS"]
SecureHeaders::Configuration.default do |config|
config.cookies = SecureHeaders::OPT_OUT
config.hsts = SecureHeaders::OPT_OUT
config.x_frame_options = SecureHeaders::OPT_OUT
config.x_content_type_options = SecureHeaders::OPT_OUT
config.x_xss_protection = SecureHeaders::OPT_OUT
config.x_download_options = SecureHeaders::OPT_OUT
config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT
config.referrer_policy = SecureHeaders::OPT_OUT
config.csp = SecureHeaders::OPT_OUT
end
else
...
end
Would be maybe good to add such a small disable method, so you don't have to specify all settings manually (and maybe miss some, if new keys are implemented in future versions). And yeah, maybe there shouldn't be a !
π
Shall I leave this issue open? Or close it, since there is a workaround somehow?
I was in favor of the !
! β Apologies if that came out as sarcasm πΌπ»
I think it would be a good addition and therefore would be worth keeping open in case someone decides to implement it.
I've updated the title to reflect that this issue is less of a question and more of a valid, useful feature request.
I have a doubt, I don't know if I can put it here but I already looked for where it would be better and I decided here. My question and doubt and I have thought about it a lot: where but the code to apply the gem in a jekyll project?
I have already installed the gem and everything but I don't see that it reflects the headers in the web project. So I don't know how or where to apply it, whether in head or body.
I remain attentive and I hope you can help me. Beforehand thank you very much.
Is there a way to enable this gem in an initializer completely?
F.e. we host our app for different customers, but due to various reasons we want to upgrade manually.
So I would like to enable secure_headers at runtime, like f.e:
I also don't want to opt out the settings, I completely want to disable secure headers (since sometimes we have set special headers by ourself and we will have to migrate them to secure headers first).