Browse files

default headers init

  • Loading branch information...
1 parent 4587e47 commit dad633c0f1888ce527a43d8bc782cfc9af440afa @homakov homakov committed Aug 27, 2012
Showing with 23 additions and 0 deletions.
  1. +23 −0 guides/source/security.textile
@@ -1021,6 +1021,29 @@ Content-Type: text/html
Under certain circumstances this would present the malicious HTML to the victim. However, this only seems to work with Keep-Alive connections (and many browsers are using one-time connections). But you can't rely on this. _(highlight)In any case this is a serious bug, and you should update your Rails to version 2.0.5 or 2.1.2 to eliminate Header Injection (and thus response splitting) risks._
+h3. Default Headers
+Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in <ruby>config/application.rb</ruby>.
+config.action_dispatch.default_headers = {
+ 'Header-Name' => 'Header-Value',
+ 'X-Frame-Options' => 'DENY'
+Here is the list of common headers:
+* X-Frame-Options
+_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.
+* X-XSS-Protection
+_'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters)
+* X-Content-Type-Options
+_'nosniff' in Rails by default_ - stops the browser from guessing the MIME type of a file.
+* X-Content-Security-Policy
+"A powerful mechanism for controlling which sites certain content types can be loaded from":
+* Access-Control-Allow-Origin
+Used to control which sites are allowed to bypass same origin policies and send cross-origin requests.
+* Strict-Transport-Security
+"Used to control if the browser is allowed to only access a site over a secure connection":
h3. Additional Resources
The security landscape shifts and it is important to keep up to date, because missing a new vulnerability can be catastrophic. You can find additional resources about (Rails) security here:

0 comments on commit dad633c

Please sign in to comment.