From 4848bf321b34cc06990bf6e3e10cbadaf992bc37 Mon Sep 17 00:00:00 2001
From: Jim Jones <jjones@aantix.com>
Date: Sat, 18 Aug 2012 15:29:58 -0700
Subject: Added X-Content-Type-Options to the header defaults.

With a value of "nosniff", this prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
---
 actionpack/lib/action_dispatch/railtie.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 0dcf1fc4fe..5aad8dd23a 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -21,7 +21,8 @@ module ActionDispatch
 
     config.action_dispatch.default_headers = {
       'X-Frame-Options' => 'SAMEORIGIN',
-      'X-XSS-Protection' => '1; mode=block'
+      'X-XSS-Protection' => '1; mode=block',
+      'X-Content-Type-Options' => 'nosniff'
     }
 
     initializer "action_dispatch.configure" do |app|
-- 
cgit v1.2.3