aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEgor Homakov <homakov@gmail.com>2012-08-27 06:37:07 -0700
committerEgor Homakov <homakov@gmail.com>2012-08-27 06:37:07 -0700
commit0685984c6b1934dea41c04b531777ec92f22c638 (patch)
treeb9f798c82c22e77893cbc0a5ac312a117e298ba7
parent4587e47bb9a5d73a70bef6de1da88b363fe00d99 (diff)
parentdad633c0f1888ce527a43d8bc782cfc9af440afa (diff)
downloadrails-0685984c6b1934dea41c04b531777ec92f22c638.tar.gz
rails-0685984c6b1934dea41c04b531777ec92f22c638.tar.bz2
rails-0685984c6b1934dea41c04b531777ec92f22c638.zip
Merge pull request #108 from homakov/master
Default headers description
-rw-r--r--guides/source/security.textile23
1 files changed, 23 insertions, 0 deletions
diff --git a/guides/source/security.textile b/guides/source/security.textile
index 49e5da6bb7..0a9911cedc 100644
--- a/guides/source/security.textile
+++ b/guides/source/security.textile
@@ -1021,6 +1021,29 @@ Content-Type: text/html
Under certain circumstances this would present the malicious HTML to the victim. However, this only seems to work with Keep-Alive connections (and many browsers are using one-time connections). But you can't rely on this. _(highlight)In any case this is a serious bug, and you should update your Rails to version 2.0.5 or 2.1.2 to eliminate Header Injection (and thus response splitting) risks._
+h3. Default Headers
+
+Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in <ruby>config/application.rb</ruby>.
+<ruby>
+config.action_dispatch.default_headers = {
+ 'Header-Name' => 'Header-Value',
+ 'X-Frame-Options' => 'DENY'
+}
+</ruby>
+Here is the list of common headers:
+* X-Frame-Options
+_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.
+* X-XSS-Protection
+_'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters)
+* X-Content-Type-Options
+_'nosniff' in Rails by default_ - stops the browser from guessing the MIME type of a file.
+* X-Content-Security-Policy
+"A powerful mechanism for controlling which sites certain content types can be loaded from":http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
+* Access-Control-Allow-Origin
+Used to control which sites are allowed to bypass same origin policies and send cross-origin requests.
+* Strict-Transport-Security
+"Used to control if the browser is allowed to only access a site over a secure connection":http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+
h3. Additional Resources
The security landscape shifts and it is important to keep up to date, because missing a new vulnerability can be catastrophic. You can find additional resources about (Rails) security here: