Skip to content
rails generator templates for ixtlan gems
Find file
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


this gem adds more security related headers to the response for a rails3 application. mainly inspired by google-gets-a-1-for-browser-security and HttpCaching. and Clickjacking

the extra headers are

  • x-frame headers
  • x-content-type headers
  • x-xss-protection headers
  • caching headers

the main idea is to set the default as strict as possible and the application might relax the setup here and there.

rails configuration

in config/application.rb or in one of the config/environments/*rb files or in an initializer. all three x-headers can be configured here, for example

config.x_content_type_headers = :nosniff

controller configuration

just add in your controller something like

x_xss_protection :block

option for each render, send_file, send_data methods

an example for an inline render

render :inline => 'behappy', :x_frame_headers => :deny

possible values

  • x_frame_headers : :deny, :sameorigin, :off default :deny

  • x_content_type_headers : :nosniff, :off default :nosniff

  • x_xss_protection_headers : :block, :disabled, :off default :block

cache headers

the cache headers needs to have a current_user, i.e. the current_user method of the controller needs to return a non-nil value. further the the method needs to :get and the response status an "ok" status,

then you can use the controller configuration or the options with render, send_file and send_data.

possible values

def my_headers
    no_store = false
Something went wrong with that request. Please try again.