From cb8bcdd9f155348bf8b0e543ddd89a855ec99984 Mon Sep 17 00:00:00 2001
From: Jim Jones <jjones@aantix.com>
Date: Mon, 27 Aug 2012 21:04:42 -0700
Subject: Added clairifications for default security headers.

---
 guides/source/security.textile | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/guides/source/security.textile b/guides/source/security.textile
index 0a9911cedc..f3c3ab9d87 100644
--- a/guides/source/security.textile
+++ b/guides/source/security.textile
@@ -1023,13 +1023,31 @@ Under certain circumstances this would present the malicious HTML to the victim.
 
 h3. Default Headers
 
-Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in <ruby>config/application.rb</ruby>. 
+Every HTTP response from your Rails application receives the following default security headers.
+
+<ruby>
+config.action_dispatch.default_headers = {
+  'X-Frame-Options' => 'SAMEORIGIN',
+  'X-XSS-Protection' => '1; mode=block',
+  'X-Content-Type-Options' => 'nosniff'
+}
+</ruby>
+
+You can configure default headers in <ruby>config/application.rb</ruby>.
+
 <ruby>
 config.action_dispatch.default_headers = {
   'Header-Name' => 'Header-Value',
   'X-Frame-Options' => 'DENY'
 }
 </ruby>
+
+Or you can remove them.
+
+<ruby>
+config.action_dispatch.default_headers.clear
+</ruby>
+
 Here is the list of common headers:
 * X-Frame-Options
 _'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. 
-- 
cgit v1.2.3