Skip to content
Browse files

Added clairifications for default security headers.

  • Loading branch information...
1 parent 0685984 commit cb8bcdd9f155348bf8b0e543ddd89a855ec99984 @aantix aantix committed Aug 27, 2012
Showing with 19 additions and 1 deletion.
  1. +19 −1 guides/source/security.textile
View
20 guides/source/security.textile
@@ -1023,13 +1023,31 @@ Under certain circumstances this would present the malicious HTML to the victim.
h3. Default Headers
-Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in <ruby>config/application.rb</ruby>.
+Every HTTP response from your Rails application receives the following default security headers.
+
+<ruby>
+config.action_dispatch.default_headers = {
+ 'X-Frame-Options' => 'SAMEORIGIN',
+ 'X-XSS-Protection' => '1; mode=block',
+ 'X-Content-Type-Options' => 'nosniff'
+}
+</ruby>
+
+You can configure default headers in <ruby>config/application.rb</ruby>.
+
<ruby>
config.action_dispatch.default_headers = {
'Header-Name' => 'Header-Value',
'X-Frame-Options' => 'DENY'
}
</ruby>
+
+Or you can remove them.
+
+<ruby>
+config.action_dispatch.default_headers.clear
+</ruby>
+
Here is the list of common headers:
* X-Frame-Options
_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.

0 comments on commit cb8bcdd

Please sign in to comment.
Something went wrong with that request. Please try again.