# File lib/rack/protection.rb, line 20
    def self.new(app, options = {})
      # does not include: RemoteReferrer, AuthenticityToken and FormToken
      except = Array options[:except]
      use_these = Array options[:use]
      Rack::Builder.new do
        use ::Rack::Protection::RemoteReferrer,   options if use_these.include? :remote_referrer
        use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token
        use ::Rack::Protection::FormToken,        options if use_these.include? :form_token
        use ::Rack::Protection::FrameOptions,     options unless except.include? :frame_options
        use ::Rack::Protection::HttpOrigin,       options unless except.include? :http_origin
        use ::Rack::Protection::IPSpoofing,       options unless except.include? :ip_spoofing
        use ::Rack::Protection::JsonCsrf,         options unless except.include? :json_csrf
        use ::Rack::Protection::PathTraversal,    options unless except.include? :path_traversal
        use ::Rack::Protection::RemoteToken,      options unless except.include? :remote_token
        use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
        use ::Rack::Protection::XSSHeader,        options unless except.include? :xss_header
        run app
      end.to_app
    end