Skip to content
Browse files

Merge pull request #108 from homakov/master

Default headers description
  • Loading branch information...
2 parents 4587e47 + dad633c commit 0685984c6b1934dea41c04b531777ec92f22c638 @homakov homakov committed Aug 27, 2012
Showing with 23 additions and 0 deletions.
  1. +23 −0 guides/source/security.textile
View
23 guides/source/security.textile
@@ -1021,6 +1021,29 @@ Content-Type: text/html
Under certain circumstances this would present the malicious HTML to the victim. However, this only seems to work with Keep-Alive connections (and many browsers are using one-time connections). But you can't rely on this. _(highlight)In any case this is a serious bug, and you should update your Rails to version 2.0.5 or 2.1.2 to eliminate Header Injection (and thus response splitting) risks._
+h3. Default Headers
+
+Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in <ruby>config/application.rb</ruby>.
+<ruby>
+config.action_dispatch.default_headers = {
+ 'Header-Name' => 'Header-Value',
+ 'X-Frame-Options' => 'DENY'
+}
+</ruby>
+Here is the list of common headers:
+* X-Frame-Options
+_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.
+* X-XSS-Protection
+_'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters)
+* X-Content-Type-Options
+_'nosniff' in Rails by default_ - stops the browser from guessing the MIME type of a file.
+* X-Content-Security-Policy
+"A powerful mechanism for controlling which sites certain content types can be loaded from":http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
+* Access-Control-Allow-Origin
+Used to control which sites are allowed to bypass same origin policies and send cross-origin requests.
+* Strict-Transport-Security
+"Used to control if the browser is allowed to only access a site over a secure connection":http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+
h3. Additional Resources
The security landscape shifts and it is important to keep up to date, because missing a new vulnerability can be catastrophic. You can find additional resources about (Rails) security here:

0 comments on commit 0685984

Please sign in to comment.
Something went wrong with that request. Please try again.