Add initializer for `secure_headers`

4 years ago · d4ad2503a9
1 changed files with 68 additions and 0 deletions
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@ -0,0 +1,68 @@
 force_ssl = %w[production].any? { |a| Rails.env == a } ? true : false
 # rubocop:disable Lint/PercentStringArray
 default_src = force_ssl ? %w(https: 'self') : %w('self')
 connect_src = %w('self')
 font_src = %w('self' data:)
 img_src = %w('self' data:)
 media_src = %w('self' data:)
 object_src = %w('self')
 script_src = %w('self' 'unsafe-inline' 'unsafe-eval')
 style_src = %w('self' 'unsafe-inline' data:)
 frame_ancestors_src = %w('self')
 img_src << "*.google-analytics.com bam.nr-data.net stats.g.doubleclick.net"
 connect_src << "*.google-analytics.com bam.nr-data.net cloudflareinsights.com "
 font_src << "fonts.gstatic.com"
 script_src << "www.google-analytics.com www.googletagmanager.com *.newrelic.com bam.nr-data.net *.cloudflare.com *.cloudflareinsights.com code.jquery.com"
 script_src << "www.recaptcha.net www.gstatic.com" if ENV["RECAPTCHA_ENABLED"] == "on"
 if ENV["SENTRY_DSN"].present?
  connect_src << "*.ingest.sentry.io"
  script_src << "*.sentry-cdn.com"
 end
 object_src << "application/x-shockwave-flash application/pdf"
 csp = {
  preserve_schemes: force_ssl,
  default_src: default_src,
  block_all_mixed_content: force_ssl,
  connect_src: connect_src.uniq,
  font_src: font_src.uniq,
  form_action: %w('self'),
  frame_ancestors: frame_ancestors_src.uniq,
  img_src: img_src.uniq,
  manifest_src: %w('self'),
  media_src: media_src.uniq,
  object_src: object_src.uniq,
  sandbox: false,
  script_src: script_src.uniq,
  style_src: style_src.uniq,
  worker_src: %w['self' blob:],
  upgrade_insecure_requests: force_ssl
 }
 # rubocop:enable Lint/PercentStringArray
 SecureHeaders::Configuration.default do |config|
  config.cookies = {
    secure: force_ssl || SecureHeaders::OPT_OUT,
    httponly: true,
    samesite: {
      lax: true
    }
  }
  config.x_frame_options = "DENY"
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = "1; mode=block"
  config.x_download_options = "noopen"
  config.x_permitted_cross_domain_policies = "none"
  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
  config.csp = csp
  if ENV["REPORT_URI_URL"].present?
    config.csp[:report_uri] ||= %w()
    config.csp[:report_uri] << ENV["REPORT_URI_URL"]
  end
 end