TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Improve CSP guide [ci-skip]

Browse Source 
"HTTP Security Headers" is more descriptive than "Default Headers", as
these only refer to HTTP Headers.
Add a short introduction explaining "why" a CSP is recommended.
Add headers to the reporting violations and the nonce sections.
Describe what nonce are used for and link to the w3.org CSP documentation.
This commit is contained in:
Petrik 2022-02-09 20:34:44 +01:00
parent 09194c9d69
commit 2a3bc5bd18
1 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
guides/source/security.md
View File

@ -1032,8 +1032,8 @@ your application if you are aware of the risk and know how to handle it:
config.action_dispatch.perform_deep_munge = false
```
Default Headers
---------------
HTTP Security Headers
---------------------
Every HTTP response from your Rails application receives the following default security headers.
@ -1073,11 +1073,13 @@ Here is a list of common headers:
### Content Security Policy
Rails provides a DSL that allows you to configure a
To help protect against XSS and injection attacks, it is recommended to define a
[Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
for your application. You can configure a global default policy and then
for your application. Rails provides a DSL that allows you to configure a
Content Security Policy. You can configure a global default policy and then
override it on a per-resource basis and even use lambdas to inject per-request
values into the header such as account subdomains in a multi-tenant application.
values into the header such as account subdomains in a multi-tenant
application.
Example global policy:
@ -1126,6 +1128,8 @@ class LegacyPagesController < ApplicationController
end
```
#### Reporting Violations
Use the `content_security_policy_report_only`
configuration attribute to set
[Content-Security-Policy-Report-Only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only)
@ -1144,7 +1148,12 @@ class PostsController < ApplicationController
end
```
You can enable automatic nonce generation:
#### Adding a Nonce
If you are considering 'unsafe-inline', consider using nonces instead. [Nonces
provide a substantial improvement](https://www.w3.org/TR/CSP3/#security-nonces)
over 'unsafe-inline' when implementing a Content Security Policy on top
existing code.
```ruby
# config/initializers/content_security_policy.rb