github / secure_headers

Manages application of security headers with many safe defaults
MIT License
3.16k stars 252 forks source link

Installation instructions unclear #492

Closed TravisSpangle closed 2 years ago

TravisSpangle commented 2 years ago

I've inherited a Rails 4 app that needs CSP. Many articles have pointed me here with

  1. install the gem
  2. create a config/initializers/csp.rb file with my settings.

I only ever get uninitialized constant SecureHeaders on rails s regardless of where I put my configuration.

I'm poking around this repo, reading through the upgrade docs, and surprised there isn't more direction.

Here is the contents of my csp.rb

SecureHeaders::Configuration.default do |config|
  config.csp = {
    default_src: %w(https: 'self'),
    font_src: %w('self' data: https:),
    img_src: %w('self' https: data:),
    object_src: %w('none'),
    script_src: %w(https:),
    style_src: %w('self' https: 'unsafe-inline')
  }
  config.hsts = SecureHeaders::OPT_OUT
  config.x_frame_options = SecureHeaders::OPT_OUT
  config.x_content_type_options = SecureHeaders::OPT_OUT
  config.x_xss_protection = SecureHeaders::OPT_OUT
  config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT
end

In addition to the initializer file I've tried config/application.rb and controllers/application_controller.rb.

TravisSpangle commented 2 years ago

I generated a new app with the same version of ruby & rails. I followed the instructions I had previously and secure_headers works as advertised. It threw an error letting me know I hadn't set a policy and I correctly set it in config/initailizers.

This app must have something at the RACK level that conflicts with secure_headers.