This gem protects against typical web attacks. Should work for all Rack apps, including Rails.
Use all protections you probably want to use:
# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp
Skip a single protection middleware:
# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp
Use a single protection middleware:
# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp
Prevented by:
Rack::Protection::AuthenticityToken (not included by use Rack::Protection)Rack::Protection::FormToken (not included by use Rack::Protection)Rack::Protection::JsonCsrfRack::Protection::RemoteReferrer (not included by use Rack::Protection)Rack::Protection::RemoteTokenRack::Protection::HttpOriginPrevented by:
Rack::Protection::EscapedParams (not included by use Rack::Protection)Rack::Protection::XSSHeader (Internet Explorer and Chrome only)Rack::Protection::ContentSecurityPolicyPrevented by:
Prevented by:
Prevented by:
Rack::Protection::SessionHijacking (not included by use Rack::Protection)Prevented by:
Rack::Protection::CookieTossing (not included by use Rack::Protection)Prevented by:
Prevented by:
Rack::Protection::StrictTransport (not included by use Rack::Protection)gem install rack-protection
Instrumentation is enabled by passing in an instrumenter as an option.
use Rack::Protection, instrumenter: ActiveSupport::Notifications
The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.
FAQs
Unknown package
We found that rack-protection demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.