Created
September 28, 2015 06:07
-
-
Save nchelluri/f77a4da1d2647298e720 to your computer and use it in GitHub Desktop.
Annotated SecureHeaders Rails initializer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
::SecureHeaders::Configuration.configure do |config| | |
# Quick reference: https://github.com/twitter/secureheaders | |
# <redacted-issue-num> - HSTS will be set by Ops in a downstream proxy | |
# if a user has visited the HTTPS version of this site, when they visit the HTTP version, their browser will edit the | |
# URL and use the HTTPS version instead | |
# https://tools.ietf.org/html/rfc6797 | |
config.hsts = false # false disables setting the header | |
# <redacted-issue-num> - HPKP will be set by Ops in a downstream proxy | |
# this site should pin its SSL cert in the browser so that if there is a MITM attack later where a bad Cert Auth | |
# claims the MITM site has a valid cert, the browser will reject it. | |
# https://scotthelme.co.uk/hpkp-http-public-key-pinning/ | |
config.hpkp = false # false disables setting the header | |
# this site should not be loaded from inside a frame | |
# https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02 | |
config.x_frame_options = 'DENY' | |
# this site should not render if XSS reflection attacks are detected | |
# https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx | |
config.x_xss_protection = { value: 1, mode: 'block'} | |
# scripts and stylesheets served by this site should not be executed unless they have the correct MIME type | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
# http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
config.x_content_type_options = 'nosniff' | |
# files downloaded from this site should not have an Open button on their download dialog | |
# https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx | |
config.x_download_options = 'noopen' | |
# don't allow any Adobe media hosted on any other site to allow embedding content from this site | |
# https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html | |
# https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html | |
config.x_permitted_cross_domain_policies = 'none' | |
# XSS mitigation | |
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ | |
config.csp = { | |
enforce: true, | |
# | |
default_src: 'none', | |
# | |
# allow only local connections | |
# (connections can be XHR, WebSockets, or EventSource) | |
connect_src: 'self', | |
# allow only our fonts and Google fonts | |
# (the google gstatic URL is found in their font CSS file) | |
font_src: 'self https://fonts.gstatic.com', | |
# allow only <redacted> and <redacted> frames to be embedded into the site | |
# deprecated by CSP but used by SecureHeaders gem | |
frame_src: '<url1> <url2>', | |
# allow our images only | |
img_src: 'self', | |
# disallow media tags | |
media_src: 'none', | |
# disallow all plugins | |
object_src: 'none', | |
# allow our scripts only | |
# script_src: 'self', | |
script_src: 'self inline', | |
# allow our styles and google font CSS only | |
style_src: 'self https://fonts.googleapis.com', | |
# no relaxing the policy when using HTTP - we don't even allow HTTP; HSTS should take care of that | |
http_additions: {}, | |
report_uri: '/csp_violation' # must match route from routes.rb | |
} | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment