Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/boardfish/zantetsuken

⚔️ Organize and build your app's Content Security Policy
https://github.com/boardfish/zantetsuken

content-security-policy hacktoberfest rails ruby-gem ruby-on-rails

Last synced: 1 day ago
JSON representation

⚔️ Organize and build your app's Content Security Policy

Awesome Lists containing this project

README

        

# Zantetsuken

The Content Security Policy (CSP) initializer in Rails can get cluttered
fast. Break it down with the help of this gem.

## Installation

Add `gem 'zantetsuken'` to your Gemfile and run `bundle install`.
Alternatively, install the gem directly by calling `gem install
zantetsuken` in your shell.

## Usage

Update `config/initializer/content_security_policy` to include the
following:

```ruby
Dir[Rails.root.join('app/lib/zantetsuken/**/*.rb').to_s].sort.each { |file| require file }
Rails.application.config.content_security_policy do |policy|
Zantetsuken.load(policy)
end
```

This will compose any rulesets you've defined under the
`Zantetsuken::Ruleset` module into a single
`ActionDispatch::ContentSecurityPolicy`, which is what Rails uses under
the hood to build your CSP.

### Defining rulesets

You should define your rulesets under
`app/lib/zantetsuken/ruleset`. Here's an example:

```ruby
# app/lib/zantetsuken/ruleset/stripe/js.rb

# frozen_string_literal: true

module Zantetsuken
module Ruleset
module Stripe
# Used for loading Stripe's JS library.
class Js < Base
ruleset do
self.connect_src = 'https://api.stripe.com'
self.frame_src = 'https://js.stripe.com', 'https://hooks.stripe.com'
self.script_src = 'https://js.stripe.com'
end
end
end
end
end
```

You should inherit from `Zantetsuken::Ruleset::Base` so that the ruleset can be
composed with others.

## Contributing

Contributions are welcome by way of a pull request. Pull requests with
failing test cases are preferable to issues, if you feel comfortable
doing that.