Merge pull request #9 from ausaccessfed/feature/dev-to-master

Feature/dev to master
ausaccessfed · Sep 14, 2022 · 442b4e8 · 442b4e8
2 parents a53a219 + 267aa8c
commit 442b4e8
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 12 deletions.
diff --git a/Makefile b/Makefile
@@ -0,0 +1,4 @@
+publish-gem:
+	gem build aaf-secure_headers.gemspec
+	gem push aaf-secure_headers-*.gem
+	rm aaf-secure_headers-*.gem
diff --git a/aaf-secure_headers.gemspec b/aaf-secure_headers.gemspec
@@ -21,11 +21,11 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'secure_headers', '~> 3.5.0.pre'
+  spec.add_dependency 'secure_headers'
   spec.add_dependency 'activesupport'
 
-  spec.add_development_dependency 'bundler', '~> 1.12'
-  spec.add_development_dependency 'rake', '~> 10.0'
-  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake', '>= 12.3.3'
+  spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'actionpack'
 end
diff --git a/lib/aaf/secure_headers.rb b/lib/aaf/secure_headers.rb
@@ -9,9 +9,7 @@ module SecureHeaders
       config.cookies = {
         secure: true,
         httponly: true,
-        samesite: {
-          lax: false
-        }
+        samesite: ::SecureHeaders::OPT_OUT
       }
 
       config.hsts = "max-age=#{6.months.to_i}; includeSubdomains; preload"
@@ -20,7 +18,7 @@ module SecureHeaders
       config.x_xss_protection = '1; mode=block'
       config.x_download_options = 'noopen'
       config.x_permitted_cross_domain_policies = 'none'
-      config.referrer_policy = 'no-referrer'
+      config.referrer_policy = 'strict-origin'
 
       config.csp = {
         preserve_schemes: false,
@@ -40,10 +38,10 @@ module SecureHeaders
     end
 
     class <<self
-      def development_mode!
+      def development_mode!(use_default_overrides: true)
         ensure_rails
         insert_dev_middleware
-        override_dev_configuration
+        override_dev_configuration if use_default_overrides
       end
 
       private

diff --git a/lib/aaf/secure_headers/version.rb b/lib/aaf/secure_headers/version.rb
@@ -1,5 +1,5 @@
 module AAF
   module SecureHeaders
-    VERSION = '2.0.0'.freeze
+    VERSION = '3.1.0'.freeze
   end
 end
diff --git a/spec/aaf/secure_headers_spec.rb b/spec/aaf/secure_headers_spec.rb
@@ -11,6 +11,8 @@
       spy(SecureHeaders::Configuration, csp: csp_config)
     end
 
+    let(:use_default_overrides) { true }
+
     before do
       allow(Rails).to receive_message_chain(:application, :config, :middleware)
         .and_return(middleware)
@@ -20,7 +22,18 @@
     end
 
     def run
-      subject.development_mode!
+      subject.development_mode!(use_default_overrides: use_default_overrides)
+    end
+
+    context 'when disabling default overrides' do
+      let(:use_default_overrides) { false }
+
+      it 'doesnt override the defaults' do
+        run
+        expect(secure_headers_config).not_to have_received(:hsts=).with(nil)
+        expect(csp_config).not_to have_received(:[]=)
+          .with(:upgrade_insecure_requests, false)
+      end
     end
 
     it 'raises an exception when Rails is undefined' do