Rack::Protection

Usage

Use all protections you probably want to use:

# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp

Skip a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp

Use a single protection middleware:

# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp

Prevented Attacks

Cross Site Request Forgery

Prevented by:

Cross Site Scripting

Prevented by:

Clickjacking

Prevented by:

Directory Traversal

Prevented by:

Session Hijacking

Prevented by:

Cookie Tossing

Prevented by: * Rack::Protection::CookieTossing (not included by use Rack::Protection)

IP Spoofing

Prevented by:

Helps to protect against protocol downgrade attacks and cookie hijacking

Prevented by:

Installation

gem install rack-protection

Instrumentation

Instrumentation is enabled by passing in an instrumenter as an option. ~~~~ use Rack::Protection, instrumenter: ActiveSupport::Notifications ~~~~

The instrumenter is passed a namespace (String) and environment (Hash). The namespace is ‘rack.protection’ and the attack type can be obtained from the environment key ‘rack.protection.attack’.