diff options
| author | Jim Jones <jjones@aantix.com> | 2012-08-27 21:04:42 -0700 |
|---|---|---|
| committer | Jim Jones <jjones@aantix.com> | 2012-08-27 21:04:42 -0700 |
| commit | cb8bcdd9f155348bf8b0e543ddd89a855ec99984 (patch) | |
| tree | a9a234237d6638a3ff76700b725e4506a644f081 /guides | |
| parent | 0685984c6b1934dea41c04b531777ec92f22c638 (diff) | |
| download | rails-cb8bcdd9f155348bf8b0e543ddd89a855ec99984.tar.gz rails-cb8bcdd9f155348bf8b0e543ddd89a855ec99984.tar.bz2 rails-cb8bcdd9f155348bf8b0e543ddd89a855ec99984.zip | |
Added clairifications for default security headers.
Diffstat (limited to 'guides')
| -rw-r--r-- | guides/source/security.textile | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/guides/source/security.textile b/guides/source/security.textile index 0a9911cedc..f3c3ab9d87 100644 --- a/guides/source/security.textile +++ b/guides/source/security.textile @@ -1023,13 +1023,31 @@ Under certain circumstances this would present the malicious HTML to the victim. h3. Default Headers -Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in <ruby>config/application.rb</ruby>. +Every HTTP response from your Rails application receives the following default security headers. + +<ruby> +config.action_dispatch.default_headers = { + 'X-Frame-Options' => 'SAMEORIGIN', + 'X-XSS-Protection' => '1; mode=block', + 'X-Content-Type-Options' => 'nosniff' +} +</ruby> + +You can configure default headers in <ruby>config/application.rb</ruby>. + <ruby> config.action_dispatch.default_headers = { 'Header-Name' => 'Header-Value', 'X-Frame-Options' => 'DENY' } </ruby> + +Or you can remove them. + +<ruby> +config.action_dispatch.default_headers.clear +</ruby> + Here is the list of common headers: * X-Frame-Options _'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. |