Permalink
Browse files

Merge pull request #109 from aantix/default_security_headers_clarific…

…ations

Added clairifications for default security headers.
  • Loading branch information...
2 parents 0685984 + cb8bcdd commit da85347a06fefb55b1ddb85e44ac621f034af1b3 @aantix aantix committed Aug 29, 2012
Showing with 19 additions and 1 deletion.
  1. +19 −1 guides/source/security.textile
@@ -1023,13 +1023,31 @@ Under certain circumstances this would present the malicious HTML to the victim.
h3. Default Headers
-Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in <ruby>config/application.rb</ruby>.
+Every HTTP response from your Rails application receives the following default security headers.
+
+<ruby>
+config.action_dispatch.default_headers = {
+ 'X-Frame-Options' => 'SAMEORIGIN',
+ 'X-XSS-Protection' => '1; mode=block',
+ 'X-Content-Type-Options' => 'nosniff'
+}
+</ruby>
+
+You can configure default headers in <ruby>config/application.rb</ruby>.
+
<ruby>
config.action_dispatch.default_headers = {
'Header-Name' => 'Header-Value',
'X-Frame-Options' => 'DENY'
}
</ruby>
+
+Or you can remove them.
+
+<ruby>
+config.action_dispatch.default_headers.clear
+</ruby>
+
Here is the list of common headers:
* X-Frame-Options
_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.

0 comments on commit da85347

Please sign in to comment.