
Security News
New Website “Is It Really FOSS?” Tracks Transparency in Open Source Distribution Models
A new site reviews software projects to reveal if they’re truly FOSS, making complex licensing and distribution models easy to understand.
Rack middleware to add to a micro service to prevent access to the Heroku servers without a key.
x-api-secret
header.Add this line to your application's Gemfile:
gem 'heroku_lockdown'
And then execute:
$ bundle
Or install it yourself as:
$ gem install heroku_lockdown
In config/application.rb configuration block, add
module SomeService
REPORTING_VERSION = '1.4'
class Application < Rails::Application
config.middleware.insert_before(Rack::Runtime, 'HerokuLockdown::SecureAccess', ENV['X_API_SECRET'], REPORTING_VERSION, [ additional_path_regexs ])
end
end
This places the middlware at the beginning of the list of Rails middleware. It is desirable to have this as early as possible. With the development of Rails, this location may need to change.
The key that the service expects is stored in the environment variable X_API_SECRET
. Each service should have its own unique key.
additional_path_regexes
are regular expressions for any other paths (no host) that should be allowed without supplying the required key. For security it is best if they are complete and anchored at both ends, e.g. /\A/v\d\/swagger\z/i
In normal operation, the gateway routers insert the x-api-secret
header and the appropriate key so operation is invisible. The effect is to require access to go through the gateway public endpoints and to not directly communicate with the Heroku servers.
If the X_API_SECRET
environment variable is not defined in the service, then the key is not required. This allows local development without keys, and disabling the lock down when needed.
FAQs
Unknown package
We found that heroku_lockdown demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A new site reviews software projects to reveal if they’re truly FOSS, making complex licensing and distribution models easy to understand.
Security News
Astral unveils pyx, a Python-native package registry in beta, designed to speed installs, enhance security, and integrate deeply with uv.
Security News
The Latio podcast explores how static and runtime reachability help teams prioritize exploitable vulnerabilities and streamline AppSec workflows.