A Better Way to Configure Content-Security-Policy Headers for Ruby on Rails
In this blog post, I will explore a new and more flexible way to configure the Content-Security-Policy
header in a Ruby on Rails application.
If you are unfamiliar with the Content-Security-Policy
HTTP header, then I'd recommend reading the MDN Web Docs to learn more.
Background
DocSpring's Content-Security-Policy
(CSP) header was starting to get out of hand:
We had been using the CSP policy feature provided by a security monitoring tool called Sqreen. They would collect CSP reports whenever a resource was blocked, and they had a web interface that made it easy to add new rules. As you can see, our CSP started to grow quite long as we tried out new analytics and support tools, or added custom integrations for specific customers.
Sqreen was acquired by Datadog, and unfortunately they shut down the service in October 2022. I uninstalled the sqreen
Ruby gem, and switched to using Sentry for security policy monitoring. I configured our existing CSP header in config/initializers/content_security_policy.rb
. The DSL looks like this:
Rails.application.config.content_security_policy do |policy|
policy.script_src :self, :https
# ...
The DocSpring app has a few different areas that each have their own requirements, such as our home page, the core Rails app, and our React template editor. I wanted to define custom Content-Security-Policy
headers for each of these parts, so that the header only included relevant rules for the current page.
I found out that you can call the content_security_policy
method in your controllers, to override parts of the globally configured Content-Security-Policy
header:
class PostsController < ApplicationController
content_security_policy do |policy|
policy.base_uri "https://www.example.com"
end
end
class PostsController < ApplicationController
content_security_policy false, only: :index
end
This wasn't documented very well and I thought there was still some room for improvement, so I came up with my own method of configuring the CSP header.
Better CSP Configuration
I decided to write my own ContentSecurityPolicy
class to manage the policy, and I added a HasContentSecurityPolicy
concern to my ApplicationController
. The concern is fairly straightforward:
module HasContentSecurityPolicy
extend ActiveSupport::Concern
included do
helper_method :content_security_policy
before_action :configure_content_security_policy
after_action :set_content_security_policy_header
end
def content_security_policy
@content_security_policy ||= ContentSecurityPolicy.new
end
# Override this method in your controller to configure the content security policy.
# Call `super` if you want to inherit the parent controller's policy.
def configure_content_security_policy; end
def set_content_security_policy_header
response.headers.merge!(content_security_policy.to_h)
end
end
This sets up my own content_security_policy
instance that I can call in my controllers, views, or helpers. After the response is rendered, I add the Content-Security-Policy
(or Content-Security-Policy-Report-Only
) header in an after_action
callback.
I decided to package up the code and publish a Ruby gem called better_content_security_policy
. (You can find the code on GitHub.)
How to use the gem
Install the gem and add it to your application's Gemfile by running:
$ bundle add better_content_security_policy
Include the BetterContentSecurityPolicy::HasContentSecurityPolicy
concern in your ApplicationController
:
class ApplicationController < ActionController::Base
include BetterContentSecurityPolicy::HasContentSecurityPolicy
Define a #configure_content_security_policy
method in ApplicationController
to configure your default Content-Security-Policy
rules:
def configure_content_security_policy
content_security_policy.default_src :none
content_security_policy.font_src :self
content_security_policy.script_src :self
content_security_policy.style_src :self
content_security_policy.img_src :self
content_security_policy.connect_src :self
content_security_policy.prefetch_src :self
content_security_policy.report_uri = "http://example.com/csp_reports"
content_security_policy.report_only = true
end
You can access the content_security_policy
instance in your controller actions. You can call any of the methods more than once (such as script_src
and img_src
), and new sources will be appended to the existing policy. You can also access the content_security_policy
instance in your views.
You can define a #configure_content_security_policy
method in other controllers. Call super
if you want to inherit your default configuration from ApplicationController
. Otherwise, you can omit the call to super
if you want to start from scratch with a new policy.
After the response has been rendered, an after_action
callback will generate and add the Content-Security-Policy
(or Content-Security-Policy-Report-Only
) header.
Examples
Plausible Analytics
Here's a Haml
view partial that I'm using to include the JavaScript code for Plausible Analytics:
-# app/views/layouts/_plausible_analytics.html.haml
- if PLAUSIBLE_ANALYTICS_HOST
- content_security_policy.connect_src PLAUSIBLE_ANALYTICS_HOST
- content_security_policy.script_src PLAUSIBLE_ANALYTICS_HOST
= javascript_include_tag "#{PLAUSIBLE_ANALYTICS_HOST}/js/script.js", defer: true, data: { domain: local_assigns[:domain].presence || request.host }
= javascript_tag nonce: true do
window.plausible = window.plausible || function() { (window.plausible.q = window.plausible.q || []).push(arguments) }
Whenever this view partial is rendered, the connect-src
and script-src
directives will be automatically added to your Content-Security-Policy
header. I really like being able to define the content_security_policy
rules right next to the javascript_include_tag
. It's great that they are only added if a Plausible Analytics host is configured and all the logic is in one place, so we can generate specific and accurate Content-Security-Policy
headers for different environments, and for on-premise customers.
Gravatar Images
Here's an overridden helper method that I use to generate Gravatar image URLs, which automatically adds the required CSP rules:
def gravatar_image_url(email, options = {})
content_security_policy.img_src 'https://secure.gravatar.com'
content_security_policy.img_src 'https://*.wp.com'
super
end
Note: It's fine to call this method multiple times. Any duplicate entries are automatically removed.
Summary
This is quite similar to the content_security_policy
method from Rails, but I think my version has slightly better UX. I also like being able to call it from my action methods and views, instead of as a class method in the controller.
Please feel free to try out the gem if you think it might be helpful, and open an issue on GitHub if you have any questions or feedback. Thanks for reading!