-
georg authored
Due to the upgrade to Rails 5, formerly working installations which served both HTTP (towards a Tor onion service) and HTTPS requests broke due to mixed HTTP / HTTPS Origin headers and improved request forgery protections. A simple fix would be to enforce HTTPS within Rails. However, in a setup as described, this would break the onion service. Accordingly, this commit introduces a new gem, secure_headers, which allows to do more fine-grained control of the involved settings. It requires a reverse proxy like Apache or Nginx which sets X-Forwarded-Proto for HTTPS requests, to make the backend aware. This change is based on these docs: https://riseup.net/en/security/network-security/tor/onionservices-best-practices#onion-services-and-rails-4 Ref #55
This project manages its dependencies using Bundler.
Learn more