Skip to content
This repository has been archived by the owner on Apr 14, 2024. It is now read-only.

Commit

Permalink
Made Cross Site Policy more strict
Browse files Browse the repository at this point in the history
  • Loading branch information
Owen Davies committed Oct 5, 2015
1 parent a3d684c commit 68df2ec
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
5 changes: 4 additions & 1 deletion config/initializers/secureheaders.rb
View file
Expand Up @@ -4,8 +4,11 @@
config.x_xss_protection = { value: 1, mode: 'block' }

config.csp = {
default_src: "'self' https:",
enforce: true,
default_src: "'none'",
connect_src: "'self'",
font_src: "'self' https:",
img_src: "'self' https: data:",
script_src: "'self' https: 'unsafe-inline'",
style_src: "'self' https: 'unsafe-inline'"
}
Expand Down
4 changes: 3 additions & 1 deletion spec/features/application/cross_site_policy_spec.rb
View file
Expand Up @@ -5,7 +5,9 @@
visit_200_page '/home'

expect(response_headers['Content-Security-Policy']).to eq [
"default-src 'self' https:",
"default-src 'none'",
"connect-src 'self'",
"font-src 'self' https:",
"img-src 'self' https: data:",
"script-src 'self' https: 'unsafe-inline'",
"style-src 'self' https: 'unsafe-inline'"
Expand Down

0 comments on commit 68df2ec

Please sign in to comment.