在本地环境中实现secure_headers gem后无法登录到rails应用程序

Question

我的网站使用Rails 3，其中我试图修复CSP(内容安全策略)相关问题。我安装了安全。

然后，在应用程序控制器中添加以下代码之后：

 SecureHeaders::Configuration.default do |config|
    config.secure_cookies = true # mark all cookies as "secure"
    config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
    config.x_frame_options = "DENY"
    config.x_content_type_options = "nosniff"
    config.x_xss_protection = "1; mode=block"
    config.x_download_options = "noopen"
    config.x_permitted_cross_domain_policies = "none"
    config.csp = {
      # "meta" values. these will shaped the header, but the values are not included in the header.
      report_only:  true,     # default: false
      preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.

      # directive values: these values will directly translate into source directives
      default_src: %w(https: 'self'),
      # frame_src: %w('self' *.twimg.com itunes.apple.com),
      # connect_src: %w(wws:),
      font_src: %w('self' https://fonts.gstatic.com https://cdnjs.cloudflare.com/ajax/libs/font-awesome https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/fonts/glyphicons-halflings-regular.svg https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/fonts/glyphicons-halflings-regular.ttf https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/fonts/glyphicons-halflings-regular.woff ),
      img_src: %w('self' https://*.youtube.com https://cdnjs.cloudflare.com/ajax/libs/font-awesome data: ),
      media_src: %w('self' https://img.youtube.com ),
      object_src: %w('self'),
      script_src: %w('self' 'unsafe-inline' https://netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js https://www.google-analytics.com/ga.js http://www.google-analytics.com/ga.js),
      style_src: %w('self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.2.0/css/font-awesome.min.css https://fonts.googleapis.com https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/css/bootstrap.min.css http://fonts.googleapis.com https://fonts.googleapis.com/css?family=Raleway:400,700 https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/css/bootstrap.min.css https://fonts.googleapis.com/css?family=Roboto:400,700 http://fonts.googleapis.com/css?family=Roboto:400,700),
      base_uri: %w('self'),
      child_src: %w('self'),
      # form_action: %w('self' ),
      frame_ancestors: %w('none'),
      plugin_types: %w(application/x-shockwave-flash),
      # block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
      # upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
      report_uri: %w(https://report-uri.io/example-csp)
    }

  end

我无法执行登录操作。有没有其他在rails中实现CSP的方法，我正在以错误的方式实现它。我找不到解释如何实现创业板的博客。请帮帮忙。

secure_cookies更新：更新:将的值更改为 false ，我可以登录到我的网站，但我确信，让secure_cookies假会对我的应用程序产生一些不良影响。

Answer 1

听起来登录似乎不是在https上进行的，cookie被标记为安全，然后在后续请求中不包含。我打开github.com/twitter/secureheaders/ this /243来处理这个问题。使用https和严格的传输安全性也可以解决这个问题。