Add Configuration.disable! to completely disable secure_headers

Co-authored-by: fletchto99 <[email protected]>

Author: Copilot

lib/secure_headers/configuration.rb

@@ -9,6 +9,26 @@ class AlreadyConfiguredError < StandardError; end
     class NotYetConfiguredError < StandardError; end
     class IllegalPolicyModificationError < StandardError; end
     class << self
+      # Public: Disable secure_headers entirely. When disabled, no headers will be set.
+      #
+      # Returns nothing
+      def disable!
+        @disabled = true
+        # Create a NOOP config that opts out of all headers
+        @noop_config = new do |config|
+          CONFIG_ATTRIBUTES.each do |attr|
+            config.instance_variable_set("@#{attr}", OPT_OUT)
+          end
+        end.freeze
+      end
+
+      # Public: Check if secure_headers is disabled
+      #
+      # Returns boolean
+      def disabled?
+        defined?(@disabled) && @disabled
+      end
+
       # Public: Set the global default configuration.
       #
       # Optionally supply a block to override the defaults set by this library.
@@ -101,6 +121,7 @@ def deep_copy(config)
       # of ensuring that the default config is never mutated and is dup(ed)
       # before it is used in a request.
       def default_config
+        return @noop_config if disabled?
         unless defined?(@default_config)
           raise NotYetConfiguredError, "Default policy not yet configured"
         end

spec/lib/secure_headers/configuration_spec.rb

@@ -119,5 +119,25 @@ module SecureHeaders
       config = Configuration.dup
       expect(config.cookies).to eq({ httponly: true, secure: true, samesite: { lax: false } })
     end
+
+    describe ".disable!" do
+      it "disables secure_headers completely" do
+        Configuration.disable!
+        expect(Configuration.disabled?).to be true
+      end
+
+      it "returns a noop config when disabled" do
+        Configuration.disable!
+        config = Configuration.send(:default_config)
+        Configuration::CONFIG_ATTRIBUTES.each do |attr|
+          expect(config.instance_variable_get("@#{attr}")).to eq(OPT_OUT)
+        end
+      end
+
+      it "does not raise NotYetConfiguredError when disabled without default config" do
+        Configuration.disable!
+        expect { Configuration.send(:default_config) }.not_to raise_error
+      end
+    end
   end
 end

spec/lib/secure_headers/middleware_spec.rb

@@ -113,5 +113,34 @@ module SecureHeaders
         expect(env["Set-Cookie"]).to eq("foo=bar; secure")
       end
     end
+
+    context "when disabled" do
+      before(:each) do
+        reset_config
+        Configuration.disable!
+      end
+
+      it "does not set any headers" do
+        _, env = middleware.call(Rack::MockRequest.env_for("https://looocalhost", {}))
+
+        # Check individual header classes that have HEADER_NAME
+        expect(env[XFrameOptions::HEADER_NAME]).to be_nil
+        expect(env[XContentTypeOptions::HEADER_NAME]).to be_nil
+        expect(env[XDownloadOptions::HEADER_NAME]).to be_nil
+        expect(env[XPermittedCrossDomainPolicies::HEADER_NAME]).to be_nil
+        expect(env[XXssProtection::HEADER_NAME]).to be_nil
+        expect(env[StrictTransportSecurity::HEADER_NAME]).to be_nil
+        expect(env[ReferrerPolicy::HEADER_NAME]).to be_nil
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to be_nil
+        expect(env[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to be_nil
+        expect(env[ClearSiteData::HEADER_NAME]).to be_nil
+        expect(env[ExpectCertificateTransparency::HEADER_NAME]).to be_nil
+      end
+
+      it "does not flag cookies" do
+        _, env = cookie_middleware.call(Rack::MockRequest.env_for("https://looocalhost", {}))
+        expect(env["Set-Cookie"]).to eq("foo=bar")
+      end
+    end
   end
 end

spec/lib/secure_headers_spec.rb

@@ -112,6 +112,12 @@ module SecureHeaders
         expect(hash.count).to eq(0)
       end
 
+      it "allows you to disable secure_headers entirely via Configuration.disable!" do
+        Configuration.disable!
+        hash = SecureHeaders.header_hash_for(request)
+        expect(hash.count).to eq(0)
+      end
+
       it "allows you to override x-frame-options settings" do
         Configuration.default
         SecureHeaders.override_x_frame_options(request, XFrameOptions::DENY)

spec/spec_helper.rb

@@ -52,11 +52,17 @@ def self.clear_overrides
     def self.clear_appends
       remove_instance_variable(:@appends) if defined?(@appends)
     end
+
+    def self.clear_disabled
+      remove_instance_variable(:@disabled) if defined?(@disabled)
+      remove_instance_variable(:@noop_config) if defined?(@noop_config)
+    end
   end
 end
 
 def reset_config
   SecureHeaders::Configuration.clear_default_config
   SecureHeaders::Configuration.clear_overrides
   SecureHeaders::Configuration.clear_appends
+  SecureHeaders::Configuration.clear_disabled
 end

vendor/bundle/ruby/3.2.0/bin/_guard-core

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby3.2
+#
+# This file was generated by RubyGems.
+#
+# The application 'guard' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+Gem.use_gemdeps
+
+version = ">= 0.a"
+
+str = ARGV.first
+if str
+  str = str.b[/\A_(.*)_\z/, 1]
+  if str and Gem::Version.correct?(str)
+    version = str
+    ARGV.shift
+  end
+end
+
+if Gem.respond_to?(:activate_bin_path)
+load Gem.activate_bin_path('guard', '_guard-core', version)
+else
+gem "guard", version
+load Gem.bin_path("guard", "_guard-core", version)
+end

vendor/bundle/ruby/3.2.0/bin/coderay

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby3.2
+#
+# This file was generated by RubyGems.
+#
+# The application 'coderay' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+Gem.use_gemdeps
+
+version = ">= 0.a"
+
+str = ARGV.first
+if str
+  str = str.b[/\A_(.*)_\z/, 1]
+  if str and Gem::Version.correct?(str)
+    version = str
+    ARGV.shift
+  end
+end
+
+if Gem.respond_to?(:activate_bin_path)
+load Gem.activate_bin_path('coderay', 'coderay', version)
+else
+gem "coderay", version
+load Gem.bin_path("coderay", "coderay", version)
+end

vendor/bundle/ruby/3.2.0/bin/coveralls

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby3.2
+#
+# This file was generated by RubyGems.
+#
+# The application 'coveralls' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+Gem.use_gemdeps
+
+version = ">= 0.a"
+
+str = ARGV.first
+if str
+  str = str.b[/\A_(.*)_\z/, 1]
+  if str and Gem::Version.correct?(str)
+    version = str
+    ARGV.shift
+  end
+end
+
+if Gem.respond_to?(:activate_bin_path)
+load Gem.activate_bin_path('coveralls', 'coveralls', version)
+else
+gem "coveralls", version
+load Gem.bin_path("coveralls", "coveralls", version)
+end

vendor/bundle/ruby/3.2.0/bin/guard

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby3.2
+#
+# This file was generated by RubyGems.
+#
+# The application 'guard' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+Gem.use_gemdeps
+
+version = ">= 0.a"
+
+str = ARGV.first
+if str
+  str = str.b[/\A_(.*)_\z/, 1]
+  if str and Gem::Version.correct?(str)
+    version = str
+    ARGV.shift
+  end
+end
+
+if Gem.respond_to?(:activate_bin_path)
+load Gem.activate_bin_path('guard', 'guard', version)
+else
+gem "guard", version
+load Gem.bin_path("guard", "guard", version)
+end

vendor/bundle/ruby/3.2.0/bin/htmldiff

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby3.2
+#
+# This file was generated by RubyGems.
+#
+# The application 'diff-lcs' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+Gem.use_gemdeps
+
+version = ">= 0.a"
+
+str = ARGV.first
+if str
+  str = str.b[/\A_(.*)_\z/, 1]
+  if str and Gem::Version.correct?(str)
+    version = str
+    ARGV.shift
+  end
+end
+
+if Gem.respond_to?(:activate_bin_path)
+load Gem.activate_bin_path('diff-lcs', 'htmldiff', version)
+else
+gem "diff-lcs", version
+load Gem.bin_path("diff-lcs", "htmldiff", version)
+end