this gem adds more security related headers to the response for a rails3 application. mainly inspired by google-gets-a-1-for-browser-security and HttpCaching. and Clickjacking
the extra headers are
- x-frame headers
- x-content-type headers
- x-xss-protection headers
- caching headers
the main idea is to set the default as strict as possible and the application might relax the setup here and there.
in config/application.rb or in one of the config/environments/*rb files or in an initializer. all three x-headers can be configured here, for example
config.x_content_type_headers = :nosniff
just add in your controller something like
x_xss_protection :block
an example for an inline render
render :inline => 'behappy', :x_frame_headers => :deny
-
x_frame_headers :
:deny, :sameorigin, :offdefault:deny -
x_content_type_headers :
:nosniff, :offdefault:nosniff -
x_xss_protection_headers :
:block, :disabled, :offdefault:block
the cache headers needs to have a current_user, i.e. the current_user method of the controller needs to return a non-nil value. further the the method needs to :get and the response status an "ok" status,
then you can use the controller configuration or the options with render, send_file and send_data.
-
:private: which tells not to cache or store any data except the browser memory: no caching -
:protected: no caching but the browser: Only the end user's browser is allowed to cache -
:public: caching is allowed: Both browser and proxy allowed to cache -
:my_headers: custom header method like
def my_headers
no_store = false
no_caching(no_store)
end