Remove non-lowercase headers in Rails default configuration (fixes #541) #551

obrie · 2025-03-20T13:50:25Z

This implements the solution proposed in #541

The full details of the issue can are described in that ticket. To summarize:

While secure_headers now uses lowercase headers (as required by Rack 3+), the Rails default configuration still defines non-lowercase headers. As a result, our Railtie will not remove those conflicting headers.

This change ensures that we're accounting for both lowercase and non-lowercase default headers in Rails (for current Rails defaults and future defaults).

All PRs:

Has tests
Documentation updated

Adding a new header

Generally, adding a new header is always OK.

Is the header supported by any user agent? If so, which?
What does it do?
What are the valid values for the header?
Where does the specification live?

Adding a new CSP directive

Is the directive supported by any user agent? If so, which?
What does it do?
What are the valid values for the directive?

…thub#541) While this gem now uses lowercase headers, the Rails default configuration still defines non-lowercase headers. As a result, our Railtie will not remove those conflicting headers. This change ensures that we're accounting for both lowercase and non-lowercase default headers in Rails.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove non-lowercase headers in Rails default configuration (fixes #541) #551

Remove non-lowercase headers in Rails default configuration (fixes #541) #551

obrie commented Mar 20, 2025

Remove non-lowercase headers in Rails default configuration (fixes #541) #551

Are you sure you want to change the base?

Remove non-lowercase headers in Rails default configuration (fixes #541) #551

Conversation

obrie commented Mar 20, 2025

All PRs:

Adding a new header

Adding a new CSP directive