Skip to content


Subversion checkout URL

You can clone with
Download ZIP
cache header control, dynamic configuration, and rails generator templates
Branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
spec make configuration model lazy to allow generators to rerun without ba…
.gitignore new upstream versions and round up features
MIT-LICENSE * added x-frame-option header field to prevent click-jacking
Mavenfile added simple docu
TODO cleanup, follow changes to ruby_maven.rb abd simple_steps.rb for cucu…


this gem adds more security related headers to the response for a rails3 application. mainly inspired by google-gets-a-1-for-browser-security and HttpCaching. and Clickjacking

the extra headers are

  • x-frame headers
  • x-content-type headers
  • x-xss-protection headers
  • caching headers

the main idea is to set the default as strict as possible and the application might relax the setup here and there.

rails configuration

in config/application.rb or in one of the config/environments/*rb files or in an initializer. all three x-headers can be configured here, for example

config.x_content_type_headers = :nosniff

controller configuration

just add in your controller something like

x_xss_protection :block

option for each render, send_file, send_data methods

an example for an inline render

render :inline => 'behappy', :x_frame_headers => :deny

possible values

  • x_frame_headers : :deny, :sameorigin, :off default :deny

  • x_content_type_headers : :nosniff, :off default :nosniff

  • x_xss_protection_headers : :block, :disabled, :off default :block

cache headers

the cache headers needs to have a current_user, i.e. the current_user method of the controller needs to return a non-nil value. further the the method needs to :get and the response status an "ok" status,

then you can use the controller configuration or the options with render, send_file and send_data.

possible values

def my_headers
    no_store = false
Something went wrong with that request. Please try again.