diff options
Diffstat (limited to 'config/initializers')
| -rw-r--r-- | config/initializers/content_security_policy.rb | 29 | ||||
| -rw-r--r-- | config/initializers/filter_parameter_logging.rb | 8 | ||||
| -rw-r--r-- | config/initializers/inflections.rb | 18 | ||||
| -rw-r--r-- | config/initializers/new_framework_defaults_8_1.rb | 74 | ||||
| -rw-r--r-- | config/initializers/routing_filter_rails71_patch.rb | 38 |
5 files changed, 123 insertions, 44 deletions
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb new file mode 100644 index 0000000..d51d713 --- /dev/null +++ b/config/initializers/content_security_policy.rb | |||
| @@ -0,0 +1,29 @@ | |||
| 1 | # Be sure to restart your server when you modify this file. | ||
| 2 | |||
| 3 | # Define an application-wide content security policy. | ||
| 4 | # See the Securing Rails Applications Guide for more information: | ||
| 5 | # https://guides.rubyonrails.org/security.html#content-security-policy-header | ||
| 6 | |||
| 7 | # Rails.application.configure do | ||
| 8 | # config.content_security_policy do |policy| | ||
| 9 | # policy.default_src :self, :https | ||
| 10 | # policy.font_src :self, :https, :data | ||
| 11 | # policy.img_src :self, :https, :data | ||
| 12 | # policy.object_src :none | ||
| 13 | # policy.script_src :self, :https | ||
| 14 | # policy.style_src :self, :https | ||
| 15 | # # Specify URI for violation reports | ||
| 16 | # # policy.report_uri "/csp-violation-report-endpoint" | ||
| 17 | # end | ||
| 18 | # | ||
| 19 | # # Generate session nonces for permitted importmap, inline scripts, and inline styles. | ||
| 20 | # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } | ||
| 21 | # config.content_security_policy_nonce_directives = %w(script-src style-src) | ||
| 22 | # | ||
| 23 | # # Automatically add `nonce` to `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag` | ||
| 24 | # # if the corresponding directives are specified in `content_security_policy_nonce_directives`. | ||
| 25 | # # config.content_security_policy_nonce_auto = true | ||
| 26 | # | ||
| 27 | # # Report violations without enforcing the policy. | ||
| 28 | # # config.content_security_policy_report_only = true | ||
| 29 | # end | ||
diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb new file mode 100644 index 0000000..c0b717f --- /dev/null +++ b/config/initializers/filter_parameter_logging.rb | |||
| @@ -0,0 +1,8 @@ | |||
| 1 | # Be sure to restart your server when you modify this file. | ||
| 2 | |||
| 3 | # Configure parameters to be partially matched (e.g. passw matches password) and filtered from the log file. | ||
| 4 | # Use this to limit dissemination of sensitive information. | ||
| 5 | # See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors. | ||
| 6 | Rails.application.config.filter_parameters += [ | ||
| 7 | :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc | ||
| 8 | ] | ||
diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb index d531b8b..3860f65 100644 --- a/config/initializers/inflections.rb +++ b/config/initializers/inflections.rb | |||
| @@ -1,10 +1,16 @@ | |||
| 1 | # Be sure to restart your server when you modify this file. | 1 | # Be sure to restart your server when you modify this file. |
| 2 | 2 | ||
| 3 | # Add new inflection rules using the following format | 3 | # Add new inflection rules using the following format. Inflections |
| 4 | # (all these examples are active by default): | 4 | # are locale specific, and you may define rules for as many different |
| 5 | # ActiveSupport::Inflector.inflections do |inflect| | 5 | # locales as you wish. All of these examples are active by default: |
| 6 | # inflect.plural /^(ox)$/i, '\1en' | 6 | # ActiveSupport::Inflector.inflections(:en) do |inflect| |
| 7 | # inflect.singular /^(ox)en/i, '\1' | 7 | # inflect.plural /^(ox)$/i, "\\1en" |
| 8 | # inflect.irregular 'person', 'people' | 8 | # inflect.singular /^(ox)en/i, "\\1" |
| 9 | # inflect.irregular "person", "people" | ||
| 9 | # inflect.uncountable %w( fish sheep ) | 10 | # inflect.uncountable %w( fish sheep ) |
| 10 | # end | 11 | # end |
| 12 | |||
| 13 | # These inflection rules are supported but not enabled by default: | ||
| 14 | # ActiveSupport::Inflector.inflections(:en) do |inflect| | ||
| 15 | # inflect.acronym "RESTful" | ||
| 16 | # end | ||
diff --git a/config/initializers/new_framework_defaults_8_1.rb b/config/initializers/new_framework_defaults_8_1.rb new file mode 100644 index 0000000..8569b5b --- /dev/null +++ b/config/initializers/new_framework_defaults_8_1.rb | |||
| @@ -0,0 +1,74 @@ | |||
| 1 | # Be sure to restart your server when you modify this file. | ||
| 2 | # | ||
| 3 | # This file eases your Rails 8.1 framework defaults upgrade. | ||
| 4 | # | ||
| 5 | # Uncomment each configuration one by one to switch to the new default. | ||
| 6 | # Once your application is ready to run with all new defaults, you can remove | ||
| 7 | # this file and set the `config.load_defaults` to `8.1`. | ||
| 8 | # | ||
| 9 | # Read the Guide for Upgrading Ruby on Rails for more info on each option. | ||
| 10 | # https://guides.rubyonrails.org/upgrading_ruby_on_rails.html | ||
| 11 | |||
| 12 | ### | ||
| 13 | # Skips escaping HTML entities and line separators. When set to `false`, the | ||
| 14 | # JSON renderer no longer escapes these to improve performance. | ||
| 15 | # | ||
| 16 | # Example: | ||
| 17 | # class PostsController < ApplicationController | ||
| 18 | # def index | ||
| 19 | # render json: { key: "\u2028\u2029<>&" } | ||
| 20 | # end | ||
| 21 | # end | ||
| 22 | # | ||
| 23 | # Renders `{"key":"\u2028\u2029\u003c\u003e\u0026"}` with the previous default, but `{"key":" <>&"}` with the config | ||
| 24 | # set to `false`. | ||
| 25 | # | ||
| 26 | # Applications that want to keep the escaping behavior can set the config to `true`. | ||
| 27 | #++ | ||
| 28 | # Rails.configuration.action_controller.escape_json_responses = false | ||
| 29 | |||
| 30 | ### | ||
| 31 | # Skips escaping LINE SEPARATOR (U+2028) and PARAGRAPH SEPARATOR (U+2029) in JSON. | ||
| 32 | # | ||
| 33 | # Historically these characters were not valid inside JavaScript literal strings but that changed in ECMAScript 2019. | ||
| 34 | # As such it's no longer a concern in modern browsers: https://caniuse.com/mdn-javascript_builtins_json_json_superset. | ||
| 35 | #++ | ||
| 36 | # Rails.configuration.active_support.escape_js_separators_in_json = false | ||
| 37 | |||
| 38 | ### | ||
| 39 | # Raises an error when order dependent finder methods (e.g. `#first`, `#second`) are called without `order` values | ||
| 40 | # on the relation, and the model does not have any order columns (`implicit_order_column`, `query_constraints`, or | ||
| 41 | # `primary_key`) to fall back on. | ||
| 42 | # | ||
| 43 | # The current behavior of not raising an error has been deprecated, and this configuration option will be removed in | ||
| 44 | # Rails 8.2. | ||
| 45 | #++ | ||
| 46 | # Rails.configuration.active_record.raise_on_missing_required_finder_order_columns = true | ||
| 47 | |||
| 48 | ### | ||
| 49 | # Controls how Rails handles path relative URL redirects. | ||
| 50 | # When set to `:raise`, Rails will raise an `ActionController::Redirecting::UnsafeRedirectError` | ||
| 51 | # for relative URLs without a leading slash, which can help prevent open redirect vulnerabilities. | ||
| 52 | # | ||
| 53 | # Example: | ||
| 54 | # redirect_to "example.com" # Raises UnsafeRedirectError | ||
| 55 | # redirect_to "@attacker.com" # Raises UnsafeRedirectError | ||
| 56 | # redirect_to "/safe/path" # Works correctly | ||
| 57 | # | ||
| 58 | # Applications that want to allow these redirects can set the config to `:log` (previous default) | ||
| 59 | # to only log warnings, or `:notify` to send ActiveSupport notifications. | ||
| 60 | #++ | ||
| 61 | # Rails.configuration.action_controller.action_on_path_relative_redirect = :raise | ||
| 62 | |||
| 63 | ### | ||
| 64 | # Use a Ruby parser to track dependencies between Action View templates | ||
| 65 | #++ | ||
| 66 | # Rails.configuration.action_view.render_tracker = :ruby | ||
| 67 | |||
| 68 | ### | ||
| 69 | # When enabled, hidden inputs generated by `form_tag`, `token_tag`, `method_tag`, and the hidden parameter fields | ||
| 70 | # included in `button_to` forms will omit the `autocomplete="off"` attribute. | ||
| 71 | # | ||
| 72 | # Applications that want to keep generating the `autocomplete` attribute for those tags can set it to `false`. | ||
| 73 | #++ | ||
| 74 | # Rails.configuration.action_view.remove_hidden_field_autocomplete = true | ||
diff --git a/config/initializers/routing_filter_rails71_patch.rb b/config/initializers/routing_filter_rails71_patch.rb deleted file mode 100644 index 35e3576..0000000 --- a/config/initializers/routing_filter_rails71_patch.rb +++ /dev/null | |||
| @@ -1,38 +0,0 @@ | |||
| 1 | # routing-filter 0.7.0 is broken on Rails 7.1+ due to a change in how | ||
| 2 | # ActionDispatch::Journey::Router#find_routes yields results (lazy iterator | ||
| 3 | # vs eager enumerable). This patch restores the expected behaviour. | ||
| 4 | # See: https://github.com/svenfuchs/routing-filter/pull/87 | ||
| 5 | # Remove this file if routing-filter ever releases a fixed version, | ||
| 6 | # or when routing-filter is replaced with native Rails i18n scope routing. | ||
| 7 | |||
| 8 | if Gem.loaded_specs['routing-filter'].version > Gem::Version.new('0.7.0') | ||
| 9 | raise 'routing-filter has been updated — check if this patch is still needed and remove it if so.' | ||
| 10 | end | ||
| 11 | |||
| 12 | ActionDispatchJourneyRouterWithFiltering.remove_method(:find_routes) | ||
| 13 | |||
| 14 | module RoutingFilterRails71Fix | ||
| 15 | def find_routes(env) | ||
| 16 | path = env.is_a?(Hash) ? env['PATH_INFO'] : env.path_info | ||
| 17 | filter_parameters = {} | ||
| 18 | original_path = path.dup | ||
| 19 | |||
| 20 | @routes.filters.run(:around_recognize, path, env) do | ||
| 21 | filter_parameters | ||
| 22 | end | ||
| 23 | |||
| 24 | super(env) do |match, parameters, route| | ||
| 25 | parameters = parameters.merge(filter_parameters) | ||
| 26 | |||
| 27 | if env.is_a?(Hash) | ||
| 28 | env['PATH_INFO'] = original_path | ||
| 29 | else | ||
| 30 | env.path_info = original_path | ||
| 31 | end | ||
| 32 | |||
| 33 | yield [match, parameters, route] | ||
| 34 | end | ||
| 35 | end | ||
| 36 | end | ||
| 37 | |||
| 38 | ActionDispatch::Journey::Router.prepend(RoutingFilterRails71Fix) | ||
