Permalink
Browse files

Merge pull request #7390 from aantix/add_x_content_type_options_to_de…

…fault_headers

Added X-Content-Type-Options to the header defaults.
  • Loading branch information...
2 parents db78e58 + 4848bf3 commit af26adcffbf97e8f7abdd63d0a4d501c70250a09 @rafaelfranca rafaelfranca committed Aug 18, 2012
@@ -51,8 +51,9 @@
*Richard Schneeman*
-* Add 'X-Frame-Options' => 'SAMEORIGIN' and
- 'X-XSS-Protection' => '1; mode=block'
+* Add 'X-Frame-Options' => 'SAMEORIGIN'
+ 'X-XSS-Protection' => '1; mode=block' and
+ 'X-Content-Type-Options' => 'nosniff'
as default headers.
*Egor Homakov*
@@ -21,7 +21,8 @@ class Railtie < Rails::Railtie
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'SAMEORIGIN',
- 'X-XSS-Protection' => '1; mode=block'
+ 'X-XSS-Protection' => '1; mode=block',
+ 'X-Content-Type-Options' => 'nosniff'
}
initializer "action_dispatch.configure" do |app|
@@ -177,9 +177,10 @@ def test_response_body_encoding
end
end
- test "read x_frame_options and x_xss_protection" do
+ test "read x_frame_options, x_content_type_options and x_xss_protection" do
ActionDispatch::Response.default_headers = {
'X-Frame-Options' => 'DENY',
+ 'X-Content-Type-Options' => 'nosniff',
'X-XSS-Protection' => '1;'
}
resp = ActionDispatch::Response.new.tap { |response|
@@ -188,6 +189,7 @@ def test_response_body_encoding
resp.to_a
assert_equal('DENY', resp.headers['X-Frame-Options'])
+ assert_equal('nosniff', resp.headers['X-Content-Type-Options'])
assert_equal('1;', resp.headers['X-XSS-Protection'])
end
@@ -341,7 +341,7 @@ h4. Configuring Action Dispatch
* +config.action_dispatch.default_headers+ is a hash with HTTP headers that are set by default in each response. By default, this is defined as:
<ruby>
-config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block' }
+config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff' }
</ruby>
* +config.action_dispatch.tld_length+ sets the TLD (top-level domain) length for the application. Defaults to +1+.

0 comments on commit af26adc

Please sign in to comment.