Add simple static configuration option for bypassing application of all security headers

[h0jeZvgoxFepBQ2C]

Is there a way to enable this gem in an initializer completely?

F.e. we host our app for different customers, but due to various reasons we want to upgrade manually.

So I would like to enable secure_headers at runtime, like f.e:

if ENV["ENABLE_STRICT_HEADERS"]
  SecureHeaders::Configuration.default do |config|
    ...
  end
else
  SecureHeaders::Configuration.disable! # <= (or something like this)
end

I also don't want to opt out the settings, I completely want to disable secure headers (since sometimes we have set special headers by ourself and we will have to migrate them to secure headers first).

[oreoshake]

Hello @h0jeZvgoxFepBQ2C, I can't recall if there's a shorthand way for doing this but you can set each config.<header_name> = SecureHeaders::OPT_OUT to avoid the default behavior. Alternatively, and probably a worse idea would be to do it per request with SecureHeaders.opt_out_of_all_protection(request) in some before_action.

I agree that would be a cool addition. I doubly like that you ended your proposed api with a ! 💥

[h0jeZvgoxFepBQ2C]

Thanks @oreoshake ,

I did something like this now:

if ENV["DISABLE_SECURE_HEADERS"]
  SecureHeaders::Configuration.default do |config|
    config.cookies = SecureHeaders::OPT_OUT
    config.hsts = SecureHeaders::OPT_OUT
    config.x_frame_options = SecureHeaders::OPT_OUT
    config.x_content_type_options = SecureHeaders::OPT_OUT
    config.x_xss_protection = SecureHeaders::OPT_OUT
    config.x_download_options = SecureHeaders::OPT_OUT
    config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT
    config.referrer_policy = SecureHeaders::OPT_OUT
    config.csp = SecureHeaders::OPT_OUT
  end
else
...
end

Would be maybe good to add such a small disable method, so you don't have to specify all settings manually (and maybe miss some, if new keys are implemented in future versions). And yeah, maybe there shouldn't be a ! 😄

Shall I leave this issue open? Or close it, since there is a workaround somehow?

[oreoshake]

I was in favor of the ! ! ❗ Apologies if that came out as sarcasm 👼🏻

I think it would be a good addition and therefore would be worth keeping open in case someone decides to implement it.

[oreoshake]

I've updated the title to reflect that this issue is less of a question and more of a valid, useful feature request.

[LeoWebSEO]

I have a doubt, I don't know if I can put it here but I already looked for where it would be better and I decided here. My question and doubt and I have thought about it a lot: where but the code to apply the gem in a jekyll project?

I have already installed the gem and everything but I don't see that it reflects the headers in the web project. So I don't know how or where to apply it, whether in head or body.

I remain attentive and I hope you can help me. Beforehand thank you very much.