Skip to content
Permalink
Browse files

Mention default values of security options

  • Loading branch information...
funk-yourself committed Oct 3, 2017
1 parent e106289 commit b912e9a72bda5554161d9f800689c8d99720c721
Showing with 10 additions and 11 deletions.
  1. +10 −11 source/guides/1.0/projects/security.md
@@ -16,7 +16,7 @@ X-Frame-Options is a HTTP header supported by modern browsers. It determines if
Web applications can send this header to prevent Clickjacking attacks:

```ruby
# Denies all untrusted domains
# Denies all untrusted domains (default)
security.x_frame_options 'DENY'
```

@@ -30,14 +30,21 @@ security.x_frame_options 'http://example.com'
X-Content-Type-Options prevents browsers from interpreting files as something else than declared by the content type in the HTTP headers.

```ruby
# Will prevent the browser from MIME-sniffing a response away from the declared content-type.
# Will prevent the browser from MIME-sniffing a response away from the declared content-type (default)
security.x_content_type_options 'nosniff'
```

# X-XSS-Protection

X-XSS-Protection is a HTTP header to determine the behavior of the browser in case an XSS attack is detected.


```ruby
# Filter enabled. Rather than sanitize the page, when a XSS attack is detected,
# the browser will prevent rendering of the page (default)
security.x_xss_protection '1; mode=block'
```

```ruby
# Filter disabled
security.x_xss_protection '0'
@@ -49,14 +56,6 @@ security.x_xss_protection '0'
security.x_xss_protection '1'
```


```ruby
# Filter enabled. Rather than sanitize the page, when a XSS attack is detected,
# the browser will prevent rendering of the page
security.x_xss_protection '1; mode=block'
```


```ruby
# The browser will sanitize the page and report the violation.
# This is a Chromium function utilizing CSP violation reports to send details to a URI of your choice
@@ -74,7 +73,7 @@ other resources to load (eg object, frame, media, etc).

Inline JavaScript is NOT allowed. To enable it, please use: <code>script-src 'unsafe-inline'</code>.

Example:
Default value is:

```ruby
security.content_security_policy %{

0 comments on commit b912e9a

Please sign in to comment.
You can’t perform that action at this time.