rack-protection/README.md
This gem protects against typical web attacks. Should work for all Rack apps, including Rails.
Use all protections you probably want to use:
# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp
Skip a single protection middleware:
# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp
Use a single protection middleware:
# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp
Rack::Protection::HostAuthorization (not included by use Rack::Protection)Prevented by:
Rack::Protection::AuthenticityToken (not included by use Rack::Protection)Rack::Protection::FormToken (not included by use Rack::Protection)Rack::Protection::JsonCsrfRack::Protection::RemoteReferrer (not included by use Rack::Protection)Rack::Protection::RemoteTokenRack::Protection::HttpOriginPrevented by:
Rack::Protection::EscapedParams (not included by use Rack::Protection)Rack::Protection::XSSHeader (Internet Explorer and Chrome only)Rack::Protection::ContentSecurityPolicyPrevented by:
Prevented by:
Prevented by:
Rack::Protection::SessionHijacking (not included by use Rack::Protection)Prevented by:
Rack::Protection::CookieTossing (not included by use Rack::Protection)Prevented by:
Prevented by:
Rack::Protection::StrictTransport (not included by use Rack::Protection)gem install rack-protection
Instrumentation is enabled by passing in an instrumenter as an option.
use Rack::Protection, instrumenter: ActiveSupport::Notifications
The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.