Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
cache header control, dynamic configuration, and rails generator templates
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
features new upstream versions and round up features
lib
spec make configuration model lazy to allow generators to rerun without ba…
templates new upstream versions and round up features
.gitignore
MIT-LICENSE * added x-frame-option header field to prevent click-jacking
Mavenfile new upstream versions and round up features
README.md added simple docu
TODO cleanup, follow changes to ruby_maven.rb abd simple_steps.rb for cucu…
ixtlan-core.gemspec version bump

README.md

Ixtlan

this gem adds more security related headers to the response for a rails3 application. mainly inspired by google-gets-a-1-for-browser-security and HttpCaching. and Clickjacking

the extra headers are

  • x-frame headers
  • x-content-type headers
  • x-xss-protection headers
  • caching headers

the main idea is to set the default as strict as possible and the application might relax the setup here and there.

rails configuration

in config/application.rb or in one of the config/environments/*rb files or in an initializer. all three x-headers can be configured here, for example

config.x_content_type_headers = :nosniff

controller configuration

just add in your controller something like

x_xss_protection :block

option for each render, send_file, send_data methods

an example for an inline render

render :inline => 'behappy', :x_frame_headers => :deny

possible values

  • x_frame_headers : :deny, :sameorigin, :off default :deny

  • x_content_type_headers : :nosniff, :off default :nosniff

  • x_xss_protection_headers : :block, :disabled, :off default :block

cache headers

the cache headers needs to have a current_user, i.e. the current_user method of the controller needs to return a non-nil value. further the the method needs to :get and the response status an "ok" status,

then you can use the controller configuration or the options with render, send_file and send_data.

possible values

def my_headers
    no_store = false
    no_caching(no_store)
  end
Something went wrong with that request. Please try again.