History

Wabo d9b86d464c Restore fork-specific features lost during upstream sync: - README.md: Restore WaboSign branding and content (was overwritten by upstream) - Routes: Restore account_logo, omniauth_callbacks, send_sms, sms test_message, sso create actions - Account model: Restore LOGO constants and logo attachment - User model: Restore EDITOR_ROLE, VIEWER_ROLE, editor?, viewer?, from_google_omniauth, signed_in_via_sso?, default_sso_account - Ability model: Restore role-based permissions (admin, editor, viewer) - SMS controller: Restore create and test_message actions - SSO controller: Restore create action and fix config key - Brakeman fix: Escape JSON in mcp_settings to fix XSS warning		3 weeks ago
..
lib	Restore fork-specific features lost during upstream sync:	3 weeks ago
Gemfile	Restore fork-specific features lost during upstream sync:	3 weeks ago
License	Restore fork-specific features lost during upstream sync:	3 weeks ago
README.md	Restore fork-specific features lost during upstream sync:	3 weeks ago
Rakefile	Restore fork-specific features lost during upstream sync:	3 weeks ago
rack-protection.gemspec	Restore fork-specific features lost during upstream sync:	3 weeks ago

README.md

Rack::Protection

This gem protects against typical web attacks. Should work for all Rack apps, including Rails.

Usage

Use all protections you probably want to use:

# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp

Skip a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp

Use a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp

Prevented Attacks

DNS rebinding and other Host header attacks

Rack::Protection::HostAuthorization (not included by use Rack::Protection)

Cross Site Request Forgery

Prevented by:

Rack::Protection::AuthenticityToken (not included by use Rack::Protection)
Rack::Protection::FormToken (not included by use Rack::Protection)
Rack::Protection::JsonCsrf
Rack::Protection::RemoteReferrer (not included by use Rack::Protection)
Rack::Protection::RemoteToken
Rack::Protection::HttpOrigin

Cross Site Scripting

Prevented by:

Rack::Protection::EscapedParams (not included by use Rack::Protection)
Rack::Protection::XSSHeader (Internet Explorer and Chrome only)
Rack::Protection::ContentSecurityPolicy

Clickjacking

Prevented by:

Rack::Protection::FrameOptions

Directory Traversal

Prevented by:

Rack::Protection::PathTraversal

Session Hijacking

Prevented by:

Rack::Protection::SessionHijacking (not included by use Rack::Protection)

Prevented by:

Rack::Protection::CookieTossing (not included by use Rack::Protection)

IP Spoofing

Prevented by:

Rack::Protection::IPSpoofing

Prevented by:

Rack::Protection::StrictTransport (not included by use Rack::Protection)

Installation

gem install rack-protection

Instrumentation

Instrumentation is enabled by passing in an instrumenter as an option.

use Rack::Protection, instrumenter: ActiveSupport::Notifications

The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.

README.md

Rack::Protection

Usage

Prevented Attacks

DNS rebinding and other Host header attacks

Cross Site Request Forgery

Cross Site Scripting

Clickjacking

Directory Traversal

Session Hijacking

Cookie Tossing

IP Spoofing

Helps to protect against protocol downgrade attacks and cookie hijacking

Installation

Instrumentation