[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-7864":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":17,"stars30d":18,"stars90d":16,"forks30d":16,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":22,"hasPages":22,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":35,"readmeContent":36,"aiSummary":37,"trendingCount":16,"starSnapshotCount":16,"syncStatus":38,"lastSyncTime":39,"discoverSource":40},7864,"secure_headers","github\u002Fsecure_headers","github","Manages application of security headers with many safe defaults","",null,"Ruby",3226,249,165,9,0,1,4,3,29.19,"MIT License",false,"main",[25,26,27,28,29,30,31,32,33,34],"content-security-policy","cookie","csp","hsts","middleware","rack","referrer-policy","ruby","secure-headers","xframe-options","2026-06-12 02:01:45","# Secure Headers [![Build + Test](https:\u002F\u002Fgithub.com\u002Fgithub\u002Fsecure_headers\u002Factions\u002Fworkflows\u002Fbuild.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fgithub\u002Fsecure_headers\u002Factions\u002Fworkflows\u002Fbuild.yml)\n\n**main branch represents 7.x line**. See the [upgrading to 4.x doc](docs\u002Fupgrading-to-4-0.md), [upgrading to 5.x doc](docs\u002Fupgrading-to-5-0.md), [upgrading to 6.x doc](docs\u002Fupgrading-to-6-0.md) or [upgrading to 7.x doc](docs\u002Fupgrading-to-7-0.md) for instructions on how to upgrade. Bug fixes should go in the `6.x` branch for now.\n\nThe gem will automatically apply several headers that are related to security.  This includes:\n- Content Security Policy (CSP) - Helps detect\u002Fprevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](https:\u002F\u002Fwww.w3.org\u002FTR\u002FCSP2\u002F)\n  - https:\u002F\u002Fcsp.withgoogle.com\n  - https:\u002F\u002Fcsp.withgoogle.com\u002Fdocs\u002Fstrict-csp.html\n  - https:\u002F\u002Fcsp-evaluator.withgoogle.com\n- HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip\u002FFiresheep attacks.  [HSTS Specification](https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc6797)\n- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options Specification](https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7034)\n- X-XSS-Protection - [Cross site scripting heuristic filter for IE\u002FChrome](https:\u002F\u002Fmsdn.microsoft.com\u002Fen-us\u002Flibrary\u002Fdd565647\\(v=vs.85\\).aspx)\n- X-Content-Type-Options - [Prevent content type sniffing](https:\u002F\u002Fmsdn.microsoft.com\u002Flibrary\u002Fgg622941\\(v=vs.85\\).aspx)\n- x-download-options - [Prevent file downloads opening](https:\u002F\u002Fmsdn.microsoft.com\u002Flibrary\u002Fjj542450(v=vs.85).aspx)\n- x-permitted-cross-domain-policies - [Restrict Adobe Flash Player's access to data](https:\u002F\u002Fwww.adobe.com\u002Fdevnet\u002Fadobe-media-server\u002Farticles\u002Fcross-domain-xml-for-streaming.html)\n- referrer-policy - [Referrer Policy draft](https:\u002F\u002Fw3c.github.io\u002Fwebappsec-referrer-policy\u002F)\n- expect-ct - Only use certificates that are present in the certificate transparency logs. [expect-ct draft specification](https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fdraft-stark-expect-ct\u002F).\n- clear-site-data - Clearing browser data for origin. [clear-site-data specification](https:\u002F\u002Fw3c.github.io\u002Fwebappsec-clear-site-data\u002F).\n\nIt can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using `config.cookies = SecureHeaders::OPT_OUT`.\n\n`secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.\n\n## Documentation\n\n- [Named overrides and appends](docs\u002Fnamed_overrides_and_appends.md)\n- [Per action configuration](docs\u002Fper_action_configuration.md)\n- [Cookies](docs\u002Fcookies.md)\n- [Hashes](docs\u002Fhashes.md)\n- [Sinatra Config](docs\u002Fsinatra.md)\n\n## Configuration\n\nIf you do not supply a `default` configuration, exceptions will be raised. If you would like to use a default configuration (which is fairly locked down), just call `SecureHeaders::Configuration.default` without any arguments or block.\n\nAll `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely.\n\n**Word of caution:**  The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.\n\n```ruby\nSecureHeaders::Configuration.default do |config|\n  config.cookies = {\n    secure: true, # mark all cookies as \"Secure\"\n    httponly: true, # mark all cookies as \"HttpOnly\"\n    samesite: {\n      lax: true # mark all cookies as SameSite=lax\n    }\n  }\n  # Add \"; preload\" and submit the site to hstspreload.org for best protection.\n  config.hsts = \"max-age=#{1.week.to_i}\"\n  config.x_frame_options = \"DENY\"\n  config.x_content_type_options = \"nosniff\"\n  config.x_xss_protection = \"1; mode=block\"\n  config.x_download_options = \"noopen\"\n  config.x_permitted_cross_domain_policies = \"none\"\n  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)\n  config.csp = {\n    # \"meta\" values. these will shape the header, but the values are not included in the header.\n    preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.\n    disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.\n\n    # directive values: these values will directly translate into source directives\n    default_src: %w('none'),\n    base_uri: %w('self'),\n    child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.\n    connect_src: %w(wss:),\n    font_src: %w('self' data:),\n    form_action: %w('self' github.com),\n    frame_ancestors: %w('none'),\n    img_src: %w(mycdn.com data:),\n    manifest_src: %w('self'),\n    media_src: %w(utoob.com),\n    object_src: %w('self'),\n    sandbox: true, # true and [] will set a maximally restrictive setting\n    plugin_types: %w(application\u002Fx-shockwave-flash),\n    script_src: %w('self'),\n    script_src_elem: %w('self'),\n    script_src_attr: %w('self'),\n    style_src: %w('unsafe-inline'),\n    style_src_elem: %w('unsafe-inline'),\n    style_src_attr: %w('unsafe-inline'),\n    worker_src: %w('self'),\n    upgrade_insecure_requests: true, # see https:\u002F\u002Fwww.w3.org\u002FTR\u002Fupgrade-insecure-requests\u002F\n    report_uri: %w(https:\u002F\u002Freport-uri.io\u002Fexample-csp)\n  }\n  # This is available only from 3.5.0; use the `report_only: true` setting for 3.4.1 and below.\n  config.csp_report_only = config.csp.merge({\n    img_src: %w(somewhereelse.com),\n    report_uri: %w(https:\u002F\u002Freport-uri.io\u002Fexample-csp-report-only)\n  })\n\n  # Optional: Use the modern report-to directive (with Reporting-Endpoints header)\n  config.csp = config.csp.merge({\n    report_to: \"csp-endpoint\"\n  })\n\n  # When using report-to, configure the reporting endpoints header\n  config.reporting_endpoints = {\n    \"csp-endpoint\": \"https:\u002F\u002Freport-uri.io\u002Fexample-csp\",\n    \"csp-report-only\": \"https:\u002F\u002Freport-uri.io\u002Fexample-csp-report-only\"\n  }\nend\n```\n\n### CSP Reporting\n\nSecureHeaders supports both the legacy `report-uri` and the modern `report-to` directives for CSP violation reporting:\n\n#### report-uri (Legacy)\nThe `report-uri` directive sends violations to a URL endpoint. It's widely supported but limited to POST requests with JSON payloads.\n\n```ruby\nconfig.csp = {\n  default_src: %w('self'),\n  report_uri: %w(https:\u002F\u002Fexample.com\u002Fcsp-report)\n}\n```\n\n#### report-to (Modern)\nThe `report-to` directive specifies a named reporting endpoint defined in the `Reporting-Endpoints` header. This enables more flexible reporting through the HTTP Reporting API standard.\n\n```ruby\nconfig.csp = {\n  default_src: %w('self'),\n  report_to: \"csp-endpoint\"\n}\n\nconfig.reporting_endpoints = {\n  \"csp-endpoint\": \"https:\u002F\u002Fexample.com\u002Freports\"\n}\n```\n\n**Recommendation:** Use both `report-uri` and `report-to` for maximum compatibility while transitioning to the modern approach.\n\n### Deprecated Configuration Values\n* `block_all_mixed_content` - this value is deprecated in favor of `upgrade_insecure_requests`. See https:\u002F\u002Fdeveloper.mozilla.org\u002Fen-US\u002Fdocs\u002FWeb\u002FHTTP\u002FHeaders\u002FContent-Security-Policy\u002Fblock-all-mixed-content for more information.\n\n## Default values\n\nAll headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:\n\n```\ncontent-security-policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'\nstrict-transport-security: max-age=631138519\nx-content-type-options: nosniff\nx-download-options: noopen\nx-frame-options: sameorigin\nx-permitted-cross-domain-policies: none\nx-xss-protection: 0\n```\n\n## API configurations\n\nWhich headers you decide to use for API responses is entirely a personal choice. Things like X-Frame-Options seem to have no place in an API response and would be wasting bytes. While this is true, browsers can do funky things with non-html responses. At the minimum, we suggest CSP:\n\n```ruby\nSecureHeaders::Configuration.override(:api) do |config|\n  config.csp = { default_src: 'none' }\n  config.hsts = SecureHeaders::OPT_OUT\n  config.x_frame_options = SecureHeaders::OPT_OUT\n  config.x_content_type_options = SecureHeaders::OPT_OUT\n  config.x_xss_protection = SecureHeaders::OPT_OUT\n  config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT\nend\n```\n\nHowever, I would consider these headers anyways depending on your load and bandwidth requirements.\n\n## Disabling secure_headers\n\nIf you want to disable `secure_headers` entirely (e.g., for specific environments or deployment scenarios), you can use `Configuration.disable!`:\n\n```ruby\nif ENV[\"ENABLE_STRICT_HEADERS\"]\n  SecureHeaders::Configuration.default do |config|\n    # your configuration here\n  end\nelse\n  SecureHeaders::Configuration.disable!\nend\n```\n\n**Important**: This configuration must be set during application startup (e.g., in an initializer). Once you call either `Configuration.default` or `Configuration.disable!`, the choice cannot be changed at runtime. Attempting to call `disable!` after `default` (or vice versa) will raise an `AlreadyConfiguredError`.\n\nWhen disabled, no security headers will be set by the gem. This is useful when:\n- You're gradually rolling out secure_headers across different customers or deployments\n- You need to migrate existing custom headers to secure_headers\n- You want environment-specific control over security headers\n\nNote: When `disable!` is used, you don't need to configure a default configuration. The gem will not raise a `NotYetConfiguredError`.\n\n## Acknowledgements\n\nThis project originated within the Security team at Twitter. An archived fork from the point of transition is here: https:\u002F\u002Fgithub.com\u002Ftwitter-archive\u002Fsecure_headers.\n\nContributors include:\n* Neil Matatall @oreoshake\n* Chris Aniszczyk\n* Artur Dryomov\n* Bjørn Mæland\n* Arthur Chiu\n* Jonathan Viney\n* Jeffrey Horn\n* David Collazo\n* Brendon Murphy\n* William Makley\n* Reed Loden\n* Noah Kantrowitz\n* Wyatt Anderson\n* Salimane Adjao Moustapha\n* Francois Chagnon\n* Jeff Hodges\n* Ian Melven\n* Darío Javier Cravero\n* Logan Hasson\n* Raul E Rangel\n* Steve Agalloco\n* Nate Collings\n* Josh Kalderimis\n* Alex Kwiatkowski\n* Julich Mera\n* Jesse Storimer\n* Tom Daniels\n* Kolja Dummann\n* Jean-Philippe Doyle\n* Blake Hitchcock\n* vanderhoorn\n* orthographic-pedant\n* Narsimham Chelluri\n\nIf you've made a contribution and see your name missing from the list, make a PR and add it!\n\n## Similar libraries\n\n* Rack [rack-secure_headers](https:\u002F\u002Fgithub.com\u002Ffrodsan\u002Frack-secure_headers)\n* Node.js (express) [helmet](https:\u002F\u002Fgithub.com\u002Fhelmetjs\u002Fhelmet) and [hood](https:\u002F\u002Fgithub.com\u002Fseanmonstar\u002Fhood)\n* Node.js (hapi) [blankie](https:\u002F\u002Fgithub.com\u002Fnlf\u002Fblankie)\n* ASP.NET - [NWebsec](https:\u002F\u002Fgithub.com\u002FNWebsec\u002FNWebsec\u002Fwiki)\n* Python - [django-csp](https:\u002F\u002Fgithub.com\u002Fmozilla\u002Fdjango-csp) + [commonware](https:\u002F\u002Fgithub.com\u002Fjsocol\u002Fcommonware\u002F); [django-security](https:\u002F\u002Fgithub.com\u002Fsdelements\u002Fdjango-security), [secure](https:\u002F\u002Fgithub.com\u002FTypeError\u002Fsecure)\n* Go - [secureheader](https:\u002F\u002Fgithub.com\u002Fkr\u002Fsecureheader)\n* Elixir [secure_headers](https:\u002F\u002Fgithub.com\u002Fanotherhale\u002Fsecure_headers)\n* Dropwizard [dropwizard-web-security](https:\u002F\u002Fgithub.com\u002Fpalantir\u002Fdropwizard-web-security)\n* Ember.js [ember-cli-content-security-policy](https:\u002F\u002Fgithub.com\u002Frwjblue\u002Fember-cli-content-security-policy\u002F)\n* PHP [secure-headers](https:\u002F\u002Fgithub.com\u002FBePsvPT\u002Fsecure-headers)\n","secure_headers 是一个用于管理应用安全头的 Ruby 库，提供多种默认的安全设置。其核心功能包括自动应用如内容安全策略（CSP）、HTTP 严格传输安全（HSTS）、X-Frame-Options 等多个与安全相关的 HTTP 头部信息，以帮助防范跨站脚本攻击、点击劫持等常见网络攻击。此外，它还支持为所有 HTTP cookie 添加 Secure、HttpOnly 和 SameSite 属性，默认开启但可按需关闭。该项目适合需要增强 Web 应用安全性，特别是基于 Ruby on Rails 或 Sinatra 框架构建的应用场景使用。",2,"2026-06-11 03:14:46","top_language"]