Security Related Headers results in false positive when secure_headers gem is used

[monfresh]

In my app, I use the secure_headers gem, which takes care of all the issues reported by the Owasp Ror Cheatsheet Security Related Headers. It would be great if dawnscanner could check these two things:

1. That the secure_headers gem is present in the app's Gemfile.lock

2. That the application_controller.rb contains the following lines:

   include SecureHeaders
   ensure_security_headers

If both of those conditions are met, then the Security Related Headers issue should not be reported.

[monfresh]

Actually, ensure_security_headers has been removed in version 3.0 of secure_headers, so perhaps just making sure it's in Gemfile.lock is enough? Another thing that could be checked is that the default configuration hasn't been changed for these headers:

SecureHeaders::Configuration.default do |config|
  config.x_frame_options = "DENY"
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = "1; mode=block"
end

[jasnow]

An issue for me too.

[thesp0nge]

Can you try if this solve you issue?