Manages application of security headers with many safe defaults
MIT License
Bot releases are hidden (Show)
Published by oreoshake almost 10 years ago
The only change between this and the first pre release is that the X-Permitted-Cross-Domain-Policies support is included.
Published by oreoshake almost 10 years ago
This removes the forwarder and "experimental" feature. The forwarder wasn't well maintained and created a lot of headaches. Also, it was using an outdated certificate pack for compatibility. That's bad. The experimental feature wasn't really used and it complicated the codebase a lot. It's also a questionably useful API that is very confusing.
Published by oreoshake almost 10 years ago
This release is intended to be ready for CSP level 2. Mainly, this means there is direct support for hash/nonce of inline content and includes many new directives (which do not inherit from default-src)
Published by oreoshake about 10 years ago
@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
This just adds a new 'preload' option to the HSTS settings to specify that option.
Published by oreoshake about 10 years ago
Tagging Requests
It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
{
:tag_report_uri => true,
:enforce => true,
:app_name => 'twitter',
:report_uri => 'csp_reports'
}
Results in
report-uri csp_reports?enforce=true&app_name=twitter