Learn more »
Push, build, and install
RubyGems
npm packages
Python packages
Maven artifacts
PHP packages
Go Modules
Bower components
Debian packages
RPM packages
NuGet packages
/ opt / logstash / vendor / bundle / jruby / 2.1 / gems / rack-protection-1.5.3
| .. |
| lib |
| spec |
| License |
| README.md |
| Rakefile |
| rack-protection.gemspec |
You should use protection!
This gem protects against typical web attacks. Should work for all Rack apps, including Rails.
Usage
Use all protections you probably want to use:
# config.ru require 'rack/protection' use Rack::Protection run MyApp
Skip a single protection middleware:
# config.ru require 'rack/protection' use Rack::Protection, :except => :path_traversal run MyApp
Use a single protection middleware:
# config.ru require 'rack/protection' use Rack::Protection::AuthenticityToken run MyApp
Prevented Attacks
Cross Site Request Forgery
Prevented by:
-
Rack::Protection::AuthenticityToken(not included byuse Rack::Protection) -
Rack::Protection::FormToken(not included byuse Rack::Protection) Rack::Protection::JsonCsrf-
Rack::Protection::RemoteReferrer(not included byuse Rack::Protection) Rack::Protection::RemoteTokenRack::Protection::HttpOrigin
Cross Site Scripting
Prevented by:
-
Rack::Protection::EscapedParams(not included byuse Rack::Protection) -
Rack::Protection::XSSHeader(Internet Explorer only)
Clickjacking
Prevented by:
Rack::Protection::FrameOptions
Directory Traversal
Prevented by:
Rack::Protection::PathTraversal
Session Hijacking
Prevented by:
Rack::Protection::SessionHijacking
IP Spoofing
Prevented by:
Rack::Protection::IPSpoofing
Installation
gem install rack-protection
Instrumentation
Instrumentation is enabled by passing in an instrumenter as an option.
use Rack::Protection, instrumenter: ActiveSupport::Notifications
The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.