Skip to content

Releases: github/secure_headers

Add hpkp support

07 May 18:34
Compare
Choose a tag to compare

Includes #143 (which is really just #132) from @thirstscolr

Add report_uri constant value

05 May 03:09
Compare
Choose a tag to compare

Just a small change that adds a constant that was missing as reported in #141

View Helpers Fixed

20 Mar 18:46
Compare
Choose a tag to compare

Fixes an issue where view helpers (for nonces, hashes, etc) weren't available in views.

2.0

23 Jan 20:23
Compare
Choose a tag to compare
2.0

This release contains support for more csp level 2 features such as the new directives, the script hash integration, and more.

It also sets a new header by default: X-Permitted-Cross-Domain-Policies

Support for hpkp is not included in this release as the implementations are still very unstable.

🚀

Deprecate features in preparation for 2.0

06 Dec 01:54
Compare
Choose a tag to compare

This removes the forwarder and "experimental" feature. The forwarder wasn't well maintained and created a lot of headaches. Also, it was using an outdated certificate pack for compatibility. That's bad. The experimental feature wasn't really used and it complicated the codebase a lot. It's also a questionably useful API that is very confusing.

Adds X-Permitted-Cross-Domain-Policies support by default

06 Dec 01:55
Compare
Choose a tag to compare

The only change between this and the first pre release is that the X-Permitted-Cross-Domain-Policies support is included.

2.0.0.pre - CSP level 2 support

14 Nov 00:54
Compare
Choose a tag to compare
Pre-release

This release is intended to be ready for CSP level 2. Mainly, this means there is direct support for hash/nonce of inline content and includes many new directives (which do not inherit from default-src)

v1.3.4

13 Oct 22:05
Compare
Choose a tag to compare
  • Adds X-Download-Options support
  • Adds support for X-XSS-Protection reporting
  • Defers loading of rails engine for faster boot times

hsts preload confirmation value support

15 Aug 02:30
Compare
Choose a tag to compare

@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).

This just adds a new 'preload' option to the HSTS settings to specify that option.

Add app tagging support

14 Aug 00:01
Compare
Choose a tag to compare

Tagging Requests

It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"

{
  :tag_report_uri => true,
  :enforce => true,
  :app_name => 'twitter',
  :report_uri => 'csp_reports'
}

Results in

report-uri csp_reports?enforce=true&app_name=twitter