default headers init
This commit is contained in:
parent
4587e47bb9
commit
dad633c0f1
@ -1021,6 +1021,29 @@ Content-Type: text/html
|
||||
Under certain circumstances this would present the malicious HTML to the victim. However, this only seems to work with Keep-Alive connections (and many browsers are using one-time connections). But you can't rely on this. _(highlight)In any case this is a serious bug, and you should update your Rails to version 2.0.5 or 2.1.2 to eliminate Header Injection (and thus response splitting) risks._
|
||||
|
||||
|
||||
h3. Default Headers
|
||||
|
||||
Every HTTP response from Rails application inherites headers from ActionDispatch::Response.default_headers hash. You can configure default headers in <ruby>config/application.rb</ruby>.
|
||||
<ruby>
|
||||
config.action_dispatch.default_headers = {
|
||||
'Header-Name' => 'Header-Value',
|
||||
'X-Frame-Options' => 'DENY'
|
||||
}
|
||||
</ruby>
|
||||
Here is the list of common headers:
|
||||
* X-Frame-Options
|
||||
_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.
|
||||
* X-XSS-Protection
|
||||
_'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters)
|
||||
* X-Content-Type-Options
|
||||
_'nosniff' in Rails by default_ - stops the browser from guessing the MIME type of a file.
|
||||
* X-Content-Security-Policy
|
||||
"A powerful mechanism for controlling which sites certain content types can be loaded from":http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
|
||||
* Access-Control-Allow-Origin
|
||||
Used to control which sites are allowed to bypass same origin policies and send cross-origin requests.
|
||||
* Strict-Transport-Security
|
||||
"Used to control if the browser is allowed to only access a site over a secure connection":http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
||||
|
||||
h3. Additional Resources
|
||||
|
||||
The security landscape shifts and it is important to keep up to date, because missing a new vulnerability can be catastrophic. You can find additional resources about (Rails) security here:
|
||||
|
Loading…
Reference in New Issue
Block a user