Set two csp headers (enforced and report only)

[davidhan527]

Is there a way using secure headers, to set both an enforced and report only header? A lot of people might want to do this in order to experiment with a different policy configuration and see what violation may occur before actually enforcing it.

[oreoshake]

secure_headers provides classes for generating headers based on configs. However, there isn't a way to do this with just config.

header = ContentSecurityPolicy.new(config, user_agent)
response.headers[header.name] = header.value

I think doing this in config alone would be great addition.

[oreoshake]

I think adding something like this would work well:

SecureHeaders::Configuration.default do |config|
  config.csp = { default_src: 'self' ... }  
  config.csp_report_only = { default_src: 'none' ... }  
end

[oreoshake]

I was just thinking about this. Specifically, should there be a flag to indicate which policy the override is meant for (that defaults to both)?

SecureHeaders::Configuration.default do |config|
   config.csp = {
     default_src: ['none'],
     script_src: %w(example.com anotherexample.com)
   }

   config.csp_report_only = config.csp.merge { 
     script_src: %w(example.com) # more restrictive, fewer hosts
   }
end

Somewhere in a controller...

append_content_security_policy_directives(:script_src, ['thirdparty.com'], :enforced)
override_content_security_policy_directives(:script_src, ['none'], :report_only)

Would result in

Content-Security-Policy: default-src 'none'; script_src example.com anotherexample.com thirdparty.com
Content-Security-Policy-Report-Only: default-src 'none'; script_src 'none'

[oreoshake]

fyi there's a PR for this #281