Closed frodsan closed 9 years ago
mkristian
commented
9 years ago I am using rack-protection for the same purpose. it is very flexible and configurable. did not double check but you have a few options which are NOT part of rack-protection - maybe you could contribute your improvements there ;)
frodsan
commented
9 years ago @mkristian I was using rack-protection too. I really don't like Rack middlewares to set up these headers. I think we can adapt some Rack::Protection features to Cuba without using them.
This is a benchmark I made in an app:
| Application | Requests/sec |
|---|---|
| App with .use(Rack::Protection) | 2516.68 |
| App without Rack::Protection | 4752.51 |
I would like to reduce that overhead. You can see the following benchmark: https://github.com/harmoni-io/cuba-secure_headers/blob/master/benchmark/secure_headers.rb#L51. That would be the same benchmark between this plugin an a couple of Rack::Protection middlewares.
UPDATE: We can make this plugin configurable, but I prefer to have an use case first or a report from someone.
UPDATE 2: I was using rack-protection to set those headers. I still use rack-protection (session hijacking & path traversal).
mkristian
commented
9 years ago @frodsan I see your intention now. the numbers are impressive - I guess I will try this plugin as well ;)
with Strict-Transport-Security in development I had a bad experience when I used "noscript"-addon + firefox: it kept the STS config for localhost which made other apps on localhost without https just fail all the time. it took me quite a while to find the noscript cache (or to find that noscript is the problem)
First step to add secure by default methods.