Skip to content

Instantly share code, notes, and snippets.

@oojikoo-gist

oojikoo-gist/secure_headers.md

Last active September 14, 2015 14:37
Show Gist options
  • Save oojikoo-gist/933c18486b5bba47fbad to your computer and use it in GitHub Desktop.
Save oojikoo-gist/933c18486b5bba47fbad to your computer and use it in GitHub Desktop.
Download ZIP
rails: SecureHeaders
Raw
secure_headers.md

SecureHeaders gem

  • Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. CSP 1.1 Specification
  • HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. HSTS Specification
  • X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. X-Frame-Options draft
  • X-XSS-Protection - Cross site scripting heuristic filter for IE/Chrome
  • X-Content-Type-Options - Prevent content type sniffing
  • X-Download-Options - Prevent file downloads opening
  • X-Permitted-Cross-Domain-Policies - Restrict Adobe Flash Player's access to data

Configuration

::SecureHeaders::Configuration.configure do |config|
  config.hsts = {:max_age => 20.years.to_i, :include_subdomains => true}
  config.x_frame_options = 'DENY'
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = {:value => 1, :mode => 'block'}
  config.x_download_options = 'noopen'
  config.x_permitted_cross_domain_policies = 'none'
  config.csp = {
    :default_src => "https: self",
    :frame_src => "https: http:.twimg.com http://itunes.apple.com",
    :img_src => "https:",
    :report_uri => '//example.com/uri-directive'
  }
end

# and then simply include this in application_controller.rb
class ApplicationController < ActionController::Base
  ensure_security_headers
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment