From dad633c0f1888ce527a43d8bc782cfc9af440afa Mon Sep 17 00:00:00 2001 From: Egor Homakov Date: Mon, 27 Aug 2012 16:32:54 +0300 Subject: default headers init --- guides/source/security.textile | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'guides/source/security.textile') diff --git a/guides/source/security.textile b/guides/source/security.textile index 49e5da6bb7..0a9911cedc 100644 --- a/guides/source/security.textile +++ b/guides/source/security.textile @@ -1021,6 +1021,29 @@ Content-Type: text/html Under certain circumstances this would present the malicious HTML to the victim. However, this only seems to work with Keep-Alive connections (and many browsers are using one-time connections). But you can't rely on this. _(highlight)In any case this is a serious bug, and you should update your Rails to version 2.0.5 or 2.1.2 to eliminate Header Injection (and thus response splitting) risks._ +h3. Default Headers + +Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in config/application.rb. + +config.action_dispatch.default_headers = { + 'Header-Name' => 'Header-Value', + 'X-Frame-Options' => 'DENY' +} + +Here is the list of common headers: +* X-Frame-Options +_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. +* X-XSS-Protection +_'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters) +* X-Content-Type-Options +_'nosniff' in Rails by default_ - stops the browser from guessing the MIME type of a file. +* X-Content-Security-Policy +"A powerful mechanism for controlling which sites certain content types can be loaded from":http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html +* Access-Control-Allow-Origin +Used to control which sites are allowed to bypass same origin policies and send cross-origin requests. +* Strict-Transport-Security +"Used to control if the browser is allowed to only access a site over a secure connection":http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security + h3. Additional Resources The security landscape shifts and it is important to keep up to date, because missing a new vulnerability can be catastrophic. You can find additional resources about (Rails) security here: -- cgit v1.2.3 From cb8bcdd9f155348bf8b0e543ddd89a855ec99984 Mon Sep 17 00:00:00 2001 From: Jim Jones Date: Mon, 27 Aug 2012 21:04:42 -0700 Subject: Added clairifications for default security headers. --- guides/source/security.textile | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'guides/source/security.textile') diff --git a/guides/source/security.textile b/guides/source/security.textile index 0a9911cedc..f3c3ab9d87 100644 --- a/guides/source/security.textile +++ b/guides/source/security.textile @@ -1023,13 +1023,31 @@ Under certain circumstances this would present the malicious HTML to the victim. h3. Default Headers -Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in config/application.rb. +Every HTTP response from your Rails application receives the following default security headers. + + +config.action_dispatch.default_headers = { + 'X-Frame-Options' => 'SAMEORIGIN', + 'X-XSS-Protection' => '1; mode=block', + 'X-Content-Type-Options' => 'nosniff' +} + + +You can configure default headers in config/application.rb. + config.action_dispatch.default_headers = { 'Header-Name' => 'Header-Value', 'X-Frame-Options' => 'DENY' } + +Or you can remove them. + + +config.action_dispatch.default_headers.clear + + Here is the list of common headers: * X-Frame-Options _'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. -- cgit v1.2.3