Rack::Protection
Usage
Use all protections you probably want to use:
# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp
Skip a single protection middleware:
# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp
Use a single protection middleware:
# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp
Prevented Attacks
DNS rebinding and other Host header attacks
-
Rack::Protection::HostAuthorization(not included byuse Rack::Protection)
Cross Site Request Forgery
Prevented by:
-
Rack::Protection::AuthenticityToken(not included byuse Rack::Protection) -
Rack::Protection::FormToken(not included byuse Rack::Protection) Rack::Protection::JsonCsrf-
Rack::Protection::RemoteReferrer(not included byuse Rack::Protection) Rack::Protection::RemoteTokenRack::Protection::HttpOrigin
Cross Site Scripting
Prevented by:
-
Rack::Protection::EscapedParams(not included byuse Rack::Protection) -
Rack::Protection::XSSHeader(Internet Explorer and Chrome only) Rack::Protection::ContentSecurityPolicy
Clickjacking
Prevented by:
Directory Traversal
Prevented by:
Session Hijacking
Prevented by:
-
Rack::Protection::SessionHijacking(not included byuse Rack::Protection)
Cookie Tossing
Prevented by:
-
Rack::Protection::CookieTossing(not included byuse Rack::Protection)
IP Spoofing
Prevented by:
Helps to protect against protocol downgrade attacks and cookie hijacking
Prevented by:
-
Rack::Protection::StrictTransport(not included byuse Rack::Protection)
Installation
gem install rack-protection
Instrumentation
Instrumentation is enabled by passing in an instrumenter as an option.
use Rack::Protection, instrumenter: ActiveSupport::Notifications
The instrumenter is passed a namespace (String) and environment (Hash). The namespace is ‘rack.protection’ and the attack type can be obtained from the environment key ‘rack.protection.attack’.