• georg's avatar
    Add secure_headers gem and config · 357cb241
    georg authored
    Due to the upgrade to Rails 5, formerly working installations which
    served both HTTP (towards a Tor onion service) and HTTPS requests broke
    due to mixed HTTP / HTTPS Origin headers and improved request forgery
    protections.
    
    A simple fix would be to enforce HTTPS within Rails. However, in a setup
    as described, this would break the onion service.
    
    Accordingly, this commit introduces a new gem, secure_headers, which
    allows to do more fine-grained control of the involved settings. It
    requires a reverse proxy like Apache or Nginx which sets
    X-Forwarded-Proto for HTTPS requests, to make the backend aware.
    
    This change is based on these docs:
    https://riseup.net/en/security/network-security/tor/onionservices-best-practices#onion-services-and-rails-4
    
    Ref #55
    357cb241
This project manages its dependencies using Bundler. Learn more