Add initializer for `secure_headers`

4 years ago · d4ad2503a9
1 changed files with 68 additions and 0 deletions
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@ -0,0 +1,68 @@
+force_ssl = %w[production].any? { |a| Rails.env == a } ? true : false
+
+# rubocop:disable Lint/PercentStringArray
+default_src = force_ssl ? %w(https: 'self') : %w('self')
+connect_src = %w('self')
+font_src = %w('self' data:)
+img_src = %w('self' data:)
+media_src = %w('self' data:)
+object_src = %w('self')
+script_src = %w('self' 'unsafe-inline' 'unsafe-eval')
+style_src = %w('self' 'unsafe-inline' data:)
+frame_ancestors_src = %w('self')
+
+img_src << "*.google-analytics.com bam.nr-data.net stats.g.doubleclick.net"
+connect_src << "*.google-analytics.com bam.nr-data.net cloudflareinsights.com "
+font_src << "fonts.gstatic.com"
+script_src << "www.google-analytics.com www.googletagmanager.com *.newrelic.com bam.nr-data.net *.cloudflare.com *.cloudflareinsights.com code.jquery.com"
+script_src << "www.recaptcha.net www.gstatic.com" if ENV["RECAPTCHA_ENABLED"] == "on"
+
+if ENV["SENTRY_DSN"].present?
+  connect_src << "*.ingest.sentry.io"
+  script_src << "*.sentry-cdn.com"
+end
+
+object_src << "application/x-shockwave-flash application/pdf"
+
+csp = {
+  preserve_schemes: force_ssl,
+  default_src: default_src,
+  block_all_mixed_content: force_ssl,
+  connect_src: connect_src.uniq,
+  font_src: font_src.uniq,
+  form_action: %w('self'),
+  frame_ancestors: frame_ancestors_src.uniq,
+  img_src: img_src.uniq,
+  manifest_src: %w('self'),
+  media_src: media_src.uniq,
+  object_src: object_src.uniq,
+  sandbox: false,
+  script_src: script_src.uniq,
+  style_src: style_src.uniq,
+  worker_src: %w['self' blob:],
+  upgrade_insecure_requests: force_ssl
+}
+# rubocop:enable Lint/PercentStringArray
+
+SecureHeaders::Configuration.default do |config|
+  config.cookies = {
+    secure: force_ssl || SecureHeaders::OPT_OUT,
+    httponly: true,
+    samesite: {
+      lax: true
+    }
+  }
+  config.x_frame_options = "DENY"
+  config.x_content_type_options = "nosniff"
+  config.x_xss_protection = "1; mode=block"
+  config.x_download_options = "noopen"
+  config.x_permitted_cross_domain_policies = "none"
+  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
+
+  config.csp = csp
+
+  if ENV["REPORT_URI_URL"].present?
+    config.csp[:report_uri] ||= %w()
+    config.csp[:report_uri] << ENV["REPORT_URI_URL"]
+  end
+end