aboutsummaryrefslogtreecommitdiffstats
path: root/guides
diff options
context:
space:
mode:
authorGeorge Claghorn <george.claghorn@gmail.com>2018-08-03 18:05:00 -0400
committerGitHub <noreply@github.com>2018-08-03 18:05:00 -0400
commitceac9bfb24e94fcb68211c3b90397a1862204b7f (patch)
treea42e06a339075c883d5d29f212921478a818951c /guides
parentf0e9a43c23b1a5c58a549ef76df1e03753cc4c90 (diff)
parent94f9c31a72b3a7f5947d1664c58645fb105d6261 (diff)
downloadrails-ceac9bfb24e94fcb68211c3b90397a1862204b7f.tar.gz
rails-ceac9bfb24e94fcb68211c3b90397a1862204b7f.tar.bz2
rails-ceac9bfb24e94fcb68211c3b90397a1862204b7f.zip
Merge pull request #33452 from thetizzo/rails_32_to_40_doc_update
[Documentation] Mention default HTTP headers in Rails 3.2 to 4.0 upgrade guide
Diffstat (limited to 'guides')
-rw-r--r--guides/source/upgrading_ruby_on_rails.md11
1 files changed, 11 insertions, 0 deletions
diff --git a/guides/source/upgrading_ruby_on_rails.md b/guides/source/upgrading_ruby_on_rails.md
index e3a254f82b..319bc09be3 100644
--- a/guides/source/upgrading_ruby_on_rails.md
+++ b/guides/source/upgrading_ruby_on_rails.md
@@ -1356,6 +1356,17 @@ config.middleware.insert_before(Rack::Lock, ActionDispatch::BestStandardsSupport
Also check your environment settings for `config.action_dispatch.best_standards_support` and remove it if present.
+* Rails 4.0 allows configuration of HTTP headers by setting `config.action_dispatch.default_headers`. The defaults are as follows:
+
+```ruby
+ config.action_dispatch.default_headers = {
+ 'X-Frame-Options' => 'SAMEORIGIN',
+ 'X-XSS-Protection' => '1; mode=block'
+ }
+```
+
+Please note that if your application is dependent on loading certain pages in a `<frame>` or `<iframe>`, then you may need to explicitly set `X-Frame-Options` to `ALLOW-FROM ...` or `ALLOWALL`.
+
* In Rails 4.0, precompiling assets no longer automatically copies non-JS/CSS assets from `vendor/assets` and `lib/assets`. Rails application and engine developers should put these assets in `app/assets` or configure `config.assets.precompile`.
* In Rails 4.0, `ActionController::UnknownFormat` is raised when the action doesn't handle the request format. By default, the exception is handled by responding with 406 Not Acceptable, but you can override that now. In Rails 3, 406 Not Acceptable was always returned. No overrides.