Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set default security-related headers for application actions #336

Merged
merged 3 commits into from
Nov 22, 2020
Merged

Set default security-related headers for application actions #336

merged 3 commits into from
Nov 22, 2020

Conversation

timriley
Copy link
Member

@timriley timriley commented Oct 31, 2020
edited
Loading

When Actions are used within the context of a full Hanami application, by default they will now serve a range of security-related headers by default (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Content-Security-Policy). This matches the behaviour established in Hanami 1.x.

Previously, these headers were independently configurable via the application's config.security namespace, e.g. config.security.x_frame_options = "SAMEORIGIN". Instead of following this approach, we've instead just configured the existing default_headers hash with these header values automatically. This is a simpler, more maintainable approach, and just as easy to understand to users, who would already be familiar with the header values they're looking to configure.

@timriley
Configure default_headers for application actions
8e84dbe 
This applies sensible defaults for security-related headers previously configurable via an application’s `config.security`.
@timriley timriley mentioned this pull request Oct 31, 2020
Closed
@timriley timriley requested a review from jodosha October 31, 2020 09:44
@timriley timriley self-assigned this Oct 31, 2020
@timriley timriley added this to the v2.0.0 milestone Oct 31, 2020
@timriley timriley mentioned this pull request Oct 31, 2020
Merged
@timriley
Copy link
Member Author

Work out where/how we should be using the cookies and security application settings

@timriley timriley force-pushed the enhancement/unstable/set-default-security-headers branch from 98dfb83 to ecdaf85 Compare October 31, 2020 10:02
jodosha
jodosha approved these changes Nov 17, 2020
View reviewed changes
Copy link
Member

@jodosha jodosha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@timriley Thanks. I manually tested it to verify that these default headers aren't sent when an action is used in standalone mode. 👍

@timriley timriley merged commit f6c2aab into unstable Nov 22, 2020
@timriley timriley deleted the enhancement/unstable/set-default-security-headers branch November 22, 2020 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jodosha jodosha jodosha approved these changes

Assignees

@timriley timriley

Labels
enhancement
Projects
None yet
Milestone
v2.0.0
Development

Successfully merging this pull request may close these issues.
2 participants
@timriley @jodosha