From 5d7b70f4336d42eabfc403e9f6efceb88b3eff44 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Sat, 9 Dec 2017 15:41:55 -0500
Subject: Add secure `X-Download-Options` and
 `X-Permitted-Cross-Domain-Policies` to default headers set.

---
 actionpack/lib/action_dispatch/railtie.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib/action_dispatch')

diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 855f2ffa47..95e99987a0 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -26,7 +26,9 @@ module ActionDispatch
     config.action_dispatch.default_headers = {
       "X-Frame-Options" => "SAMEORIGIN",
       "X-XSS-Protection" => "1; mode=block",
-      "X-Content-Type-Options" => "nosniff"
+      "X-Content-Type-Options" => "nosniff",
+      "X-Download-Options" => "noopen",
+      "X-Permitted-Cross-Domain-Policies" => "none"
     }
 
     config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
-- 
cgit v1.2.3