aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source/security.textile
diff options
context:
space:
mode:
authorJim Jones <jjones@aantix.com>2012-08-27 21:04:42 -0700
committerJim Jones <jjones@aantix.com>2012-08-27 21:04:42 -0700
commitcb8bcdd9f155348bf8b0e543ddd89a855ec99984 (patch)
treea9a234237d6638a3ff76700b725e4506a644f081 /guides/source/security.textile
parent0685984c6b1934dea41c04b531777ec92f22c638 (diff)
downloadrails-cb8bcdd9f155348bf8b0e543ddd89a855ec99984.tar.gz
rails-cb8bcdd9f155348bf8b0e543ddd89a855ec99984.tar.bz2
rails-cb8bcdd9f155348bf8b0e543ddd89a855ec99984.zip
Added clairifications for default security headers.
Diffstat (limited to 'guides/source/security.textile')
-rw-r--r--guides/source/security.textile20
1 files changed, 19 insertions, 1 deletions
diff --git a/guides/source/security.textile b/guides/source/security.textile
index 0a9911cedc..f3c3ab9d87 100644
--- a/guides/source/security.textile
+++ b/guides/source/security.textile
@@ -1023,13 +1023,31 @@ Under certain circumstances this would present the malicious HTML to the victim.
h3. Default Headers
-Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in <ruby>config/application.rb</ruby>.
+Every HTTP response from your Rails application receives the following default security headers.
+
+<ruby>
+config.action_dispatch.default_headers = {
+ 'X-Frame-Options' => 'SAMEORIGIN',
+ 'X-XSS-Protection' => '1; mode=block',
+ 'X-Content-Type-Options' => 'nosniff'
+}
+</ruby>
+
+You can configure default headers in <ruby>config/application.rb</ruby>.
+
<ruby>
config.action_dispatch.default_headers = {
'Header-Name' => 'Header-Value',
'X-Frame-Options' => 'DENY'
}
</ruby>
+
+Or you can remove them.
+
+<ruby>
+config.action_dispatch.default_headers.clear
+</ruby>
+
Here is the list of common headers:
* X-Frame-Options
_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 11:38:49 +0000