Currently, Hanami uses a bespoke implementation for things like CSP and other security related headers. Unfortunately, this implementation is somewhat handicapped compared the secure-headers gem for the following reasons.
- It is not possible / easy to override CSP directives per action, and other headers per action
- Also, its does not offer the ability to “compile” a CSP into a smaller policy like secure-headers to a smaller, more efficient representation
- I would also argue that
secure-headers
is more secure by default, by forcing explicitOpt-Out
behavior, and - It is more battle tested
So, instead of hand-rolling a custom security configuration, I propose that we add official integration for SecureHeaders.
Example
For reference, here is how we use secure-headers in our apps (overriding the Hanami implementation)
# apps/web/application.rb
SecureHeaders::Configuration.override(:web) do |config|
config.csp = Security::CSP.with(
:self,
:typekit,
:fullstory,
)
end
# apps/web/controllers/security
module Web
module Controllers
# Security context for all controllers
module Security
def self.included(action)
action.class_eval do
include SecureHeaders
# Use the :web configuration from application.rb
before { use_secure_headers_override(:web) }
end
end
end
end
end
Proposed API
We could provide a thin wrapper over the SecureHeaders::Configuration
class which would look something like:
module Web
# Application config for web
class Application < Hanami::Application
configure do
# will create an overridden config for the Web app
security do
x_frame_options "DENY"
cookies secure: true
end
end
end
end