Skip to content
Security related headers for Rack applications
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Set rubocop. Apr 11, 2016
lib/rack Minor style change. Apr 12, 2016
test Minor changes on code format. Apr 11, 2016
.gitignore Set rubocop. Apr 11, 2016
.rubocop.yml Set rubocop. Apr 11, 2016
.travis.yml Bump CI server Ruby versions. May 2, 2016
Gemfile Minor changes on code format. Apr 11, 2016
LICENSE Update copyright notice to 2016. Jan 1, 2016 Update README. Jan 1, 2016
Rakefile Update rake task. Apr 11, 2016
rack-secure_headers.gemspec Update gemspec email. Apr 11, 2016

rack-secure_headers Build Status

Security related HTTP headers for Rack applications.


Implements OWASP's List of useful HTTP headers.


Add this line to your application's Gemfile:

gem "rack-secure_headers"

And then execute:

$ bundle

Or install it yourself as:

$ gem install rack-secure_headers


require "rack/secure_headers"

use(Rack::SecureHeaders, options)


This is a list of the supported options included by default. To disable any default, pass nil (e.g. option: nil).

Option Header Default
:hsts Strict-Transport-Security { max_age: "31536000", include_subdomains: true }
:x_content_type_options X-Content-Type-Options "nosniff"
:x_frame_options X-Frame-Options "SAMEORIGIN"
:x_permited_cross_domain X-Permitted-Cross-Domain-Policies "none"
:x_xss_protection X-XSS-Protection "1; mode=block"


This is a list of the supported HTTP headers:

  • Strict-Transport-Security:

    Ensures the browser never visits the http version of a website. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. Supported options:

    • :max_age: The time, in seconds, that the browser should remember that the site is only to be accessed using HTTPS. Defaults to 1 year.
    • :includeSubdomains: If this is true, this rule is applied to all of the site's subdomains as well. Defaults to true.
    • :preload: A limitation of HSTS is that the initial request remains unprotected if it uses HTTP. The same applies to the first request after the activity period specified by max-age. Chrome, Firefox and IE11+ implements a "STS preloaded list", which contains known sites supporting HSTS. If you would like your domain to be included in the preloaded list, set this options to true and submit your domain to this form.
  • X-Content-Type-Options:

    Prevents IE and Chrome from content type sniffing.

  • X-Frame-Options (XFO):

    Provides Clickjacking protection. Supported values:

    • DENY - Prevents any domain from framing the content.
    • SAMEORIGIN - Only allows current site to frame the content.
    • ALLOW-FROM URI - Allows the specified URI to frame the content (only IE8+ and Firefox).

    Check the X-Frame-Options draft for more information.

  • X-Permitted-Cross-Domain-Policies:

    Restrict Adobe Flash Player's access to data. Check this article for more information.

  • X-XSS-Protection:

    Enables the XSS protection filter built into IE, Chrome and Safari. Supported values are 0, which disables the protection, 1 which enables it and 1; mode=block (default) which tells the browser to block the response if it detects an attack. This filter is usually enabled by default, the use of this header is to re-enable it if it was disabled by the user.

Use to asses the security related HTTP headers used by your site.


  • HTTP Public Key Pinning (HPKP).
  • Content Security Policy (CSP).


Fork the project with:

$ git clone

To install dependencies, use:

$ bundle install

To run the test suite, do:

$ rake test

For bug reports and pull requests use GitHub.


This gem is released under the MIT License.

You can’t perform that action at this time.