Releases: github/secure_headers
Add hpkp support
Includes #143 (which is really just #132) from @thirstscolr
Add report_uri constant value
Just a small change that adds a constant that was missing as reported in #141
View Helpers Fixed
Fixes an issue where view helpers (for nonces, hashes, etc) weren't available in views.
2.0
This release contains support for more csp level 2 features such as the new directives, the script hash integration, and more.
It also sets a new header by default: X-Permitted-Cross-Domain-Policies
Support for hpkp is not included in this release as the implementations are still very unstable.
🚀
Deprecate features in preparation for 2.0
This removes the forwarder and "experimental" feature. The forwarder wasn't well maintained and created a lot of headaches. Also, it was using an outdated certificate pack for compatibility. That's bad. The experimental feature wasn't really used and it complicated the codebase a lot. It's also a questionably useful API that is very confusing.
Adds X-Permitted-Cross-Domain-Policies support by default
The only change between this and the first pre release is that the X-Permitted-Cross-Domain-Policies support is included.
2.0.0.pre - CSP level 2 support
This release is intended to be ready for CSP level 2. Mainly, this means there is direct support for hash/nonce of inline content and includes many new directives (which do not inherit from default-src)
v1.3.4
hsts preload confirmation value support
@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
This just adds a new 'preload' option to the HSTS settings to specify that option.
Add app tagging support
Tagging Requests
It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
{
:tag_report_uri => true,
:enforce => true,
:app_name => 'twitter',
:report_uri => 'csp_reports'
}
Results in
report-uri csp_reports?enforce=true&app_name=twitter