We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rails4 引入了三个默认HTTP Headers:
config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff' }
X-Content-Type-Options'头设置为 nosniff'会阻止浏览器通过内容猜测文件的MIME Type的行为。如果不阻止,浏览器的这一行为会被黑客利用,增加XSS的机率。
X-Content-Type-Options'
nosniff'
MIME Type
IE8以及之后的版本支持X-XSS-Protection头,设置为1;mode=block会激活IE内建的XSS过滤机制,阻止常见的XSS攻击。
X-XSS-Protection
1;mode=block
X-Frame-Options 头可以决定网页是否允许被嵌入(iframe/frame)到其他页面。设置为DENY之后会阻止所有页面内嵌你的网页,,设置为SAMEORIGIN会允许自己域下的网站内嵌你的网页。 还可以设置指定允许内嵌你的页面的域。不允许别人内嵌你的页面是减少click-jacking的有效途径。
X-Frame-Options
DENY
SAMEORIGIN
在Rails3里增加这三个头很简单,只要加一个全局的filter:
# application_controller.rb before_filter :set_secure_headers def set_secure_headers response.headers.merge!( 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff' ) end
refs:
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Rails4 引入了三个默认HTTP Headers:
X-Content-Type-Options
X-Content-Type-Options'头设置为nosniff'会阻止浏览器通过内容猜测文件的MIME Type的行为。如果不阻止,浏览器的这一行为会被黑客利用,增加XSS的机率。X-XSS-Protection
IE8以及之后的版本支持
X-XSS-Protection头,设置为1;mode=block会激活IE内建的XSS过滤机制,阻止常见的XSS攻击。X-Frame-Options
X-Frame-Options头可以决定网页是否允许被嵌入(iframe/frame)到其他页面。设置为DENY之后会阻止所有页面内嵌你的网页,,设置为SAMEORIGIN会允许自己域下的网站内嵌你的网页。 还可以设置指定允许内嵌你的页面的域。不允许别人内嵌你的页面是减少click-jacking的有效途径。在Rails3里增加这三个头很简单,只要加一个全局的filter:
refs:
The text was updated successfully, but these errors were encountered: