diff options
author | Vijay Dev <vijaydev.cse@gmail.com> | 2012-09-01 23:51:23 +0530 |
---|---|---|
committer | Vijay Dev <vijaydev.cse@gmail.com> | 2012-09-01 23:51:23 +0530 |
commit | a6674991037fc360c7a72e7c28eec448f0231a3e (patch) | |
tree | f31b246cf779b8a09b4bc1d0db132c0e712d732b /guides/source/security.textile | |
parent | 7f800b4d69c0750bb47989027580299751a22616 (diff) | |
parent | 831b814a8778aad0d038aab550b7d405d4a69d37 (diff) | |
download | rails-a6674991037fc360c7a72e7c28eec448f0231a3e.tar.gz rails-a6674991037fc360c7a72e7c28eec448f0231a3e.tar.bz2 rails-a6674991037fc360c7a72e7c28eec448f0231a3e.zip |
Merge branch 'master' of github.com:lifo/docrails
Diffstat (limited to 'guides/source/security.textile')
-rw-r--r-- | guides/source/security.textile | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/guides/source/security.textile b/guides/source/security.textile index 773a47ab28..4c6c78a353 100644 --- a/guides/source/security.textile +++ b/guides/source/security.textile @@ -1019,6 +1019,47 @@ Content-Type: text/html Under certain circumstances this would present the malicious HTML to the victim. However, this only seems to work with Keep-Alive connections (and many browsers are using one-time connections). But you can't rely on this. _(highlight)In any case this is a serious bug, and you should update your Rails to version 2.0.5 or 2.1.2 to eliminate Header Injection (and thus response splitting) risks._ +h3. Default Headers + +Every HTTP response from your Rails application receives the following default security headers. + +<ruby> +config.action_dispatch.default_headers = { + 'X-Frame-Options' => 'SAMEORIGIN', + 'X-XSS-Protection' => '1; mode=block', + 'X-Content-Type-Options' => 'nosniff' +} +</ruby> + +You can configure default headers in <ruby>config/application.rb</ruby>. + +<ruby> +config.action_dispatch.default_headers = { + 'Header-Name' => 'Header-Value', + 'X-Frame-Options' => 'DENY' +} +</ruby> + +Or you can remove them. + +<ruby> +config.action_dispatch.default_headers.clear +</ruby> + +Here is the list of common headers: +* X-Frame-Options +_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. +* X-XSS-Protection +_'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters) +* X-Content-Type-Options +_'nosniff' in Rails by default_ - stops the browser from guessing the MIME type of a file. +* X-Content-Security-Policy +"A powerful mechanism for controlling which sites certain content types can be loaded from":http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html +* Access-Control-Allow-Origin +Used to control which sites are allowed to bypass same origin policies and send cross-origin requests. +* Strict-Transport-Security +"Used to control if the browser is allowed to only access a site over a secure connection":http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security + h3. Additional Resources The security landscape shifts and it is important to keep up to date, because missing a new vulnerability can be catastrophic. You can find additional resources about (Rails) security here: |