diff options
| author | Egor Homakov <homakov@gmail.com> | 2012-08-27 16:32:54 +0300 |
|---|---|---|
| committer | Egor Homakov <homakov@gmail.com> | 2012-08-27 16:32:54 +0300 |
| commit | dad633c0f1888ce527a43d8bc782cfc9af440afa (patch) | |
| tree | b9f798c82c22e77893cbc0a5ac312a117e298ba7 /guides/source | |
| parent | 4587e47bb9a5d73a70bef6de1da88b363fe00d99 (diff) | |
| download | rails-dad633c0f1888ce527a43d8bc782cfc9af440afa.tar.gz rails-dad633c0f1888ce527a43d8bc782cfc9af440afa.tar.bz2 rails-dad633c0f1888ce527a43d8bc782cfc9af440afa.zip | |
default headers init
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/security.textile | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/guides/source/security.textile b/guides/source/security.textile index 49e5da6bb7..0a9911cedc 100644 --- a/guides/source/security.textile +++ b/guides/source/security.textile @@ -1021,6 +1021,29 @@ Content-Type: text/html Under certain circumstances this would present the malicious HTML to the victim. However, this only seems to work with Keep-Alive connections (and many browsers are using one-time connections). But you can't rely on this. _(highlight)In any case this is a serious bug, and you should update your Rails to version 2.0.5 or 2.1.2 to eliminate Header Injection (and thus response splitting) risks._ +h3. Default Headers + +Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in <ruby>config/application.rb</ruby>. +<ruby> +config.action_dispatch.default_headers = { + 'Header-Name' => 'Header-Value', + 'X-Frame-Options' => 'DENY' +} +</ruby> +Here is the list of common headers: +* X-Frame-Options +_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. +* X-XSS-Protection +_'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters) +* X-Content-Type-Options +_'nosniff' in Rails by default_ - stops the browser from guessing the MIME type of a file. +* X-Content-Security-Policy +"A powerful mechanism for controlling which sites certain content types can be loaded from":http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html +* Access-Control-Allow-Origin +Used to control which sites are allowed to bypass same origin policies and send cross-origin requests. +* Strict-Transport-Security +"Used to control if the browser is allowed to only access a site over a secure connection":http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security + h3. Additional Resources The security landscape shifts and it is important to keep up to date, because missing a new vulnerability can be catastrophic. You can find additional resources about (Rails) security here: |