# File 'rack-protection/lib/rack/protection.rb', line 27
def self.new(app, options = {})
except = Array options[:except]
use_these = Array options[:use]
if options.fetch(:without_session, false)
except += %i[remote_token]
end
Rack::Builder.new do
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
use ::Rack::Protection::EscapedParams, options if use_these.include? :escaped_params
use ::Rack::Protection::FormToken, options if use_these.include? :form_token
use ::Rack::Protection::ReferrerPolicy, options if use_these.include? :referrer_policy
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
use ::Rack::Protection::SessionHijacking, options if use_these.include? :session_hijacking
use ::Rack::Protection::StrictTransport, options if use_these.include? :strict_transport
use ::Rack::Protection::FrameOptions, options unless except.include? :frame_options
use ::Rack::Protection::HttpOrigin, options unless except.include? :http_origin
use ::Rack::Protection::IPSpoofing, options unless except.include? :ip_spoofing
use ::Rack::Protection::JsonCsrf, options unless except.include? :json_csrf
use ::Rack::Protection::PathTraversal, options unless except.include? :path_traversal
use ::Rack::Protection::RemoteToken, options unless except.include? :remote_token
use ::Rack::Protection::XSSHeader, options unless except.include? :
run app
end.to_app
end