Add secureheaders

Issue some security-related headers by default.
author: Louise Crow <louise.crow@gmail.com> 2014-11-18 16:18:31 +0000
committer: Louise Crow <louise.crow@gmail.com> 2014-12-05 15:57:18 +0000
commit: 72fcd18521d4b65b391310e758d5f8a2cb677950 (patch)
tree: f83504c0c0013c0d54d50cf0ad78ae09243d5269 /config/initializers/secure_headers.rb
parent: 7a7899bf8ad3e89f59b956ef74d1d44271396328 (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
new file mode 100644
index 000000000..99730e6b2
--- /dev/null
+++ b/config/initializers/secure_headers.rb
@@ -0,0 +1,24 @@
+::SecureHeaders::Configuration.configure do |config|
+
+    # https://tools.ietf.org/html/rfc6797
+    if AlaveteliConfiguration::force_ssl
+        config.hsts = { :max_age => 20.years.to_i, :include_subdomains => true }
+    else
+        config.hsts = false
+    end
+    # https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02
+    config.x_frame_options = "sameorigin"
+
+    # http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
+    config.x_content_type_options = "nosniff"
+
+    # http://msdn.microsoft.com/en-us/library/dd565647%28v=vs.85%29.aspx
+    config.x_xss_protection = { :value => 1 }
+
+    # https://w3c.github.io/webappsec/specs/content-security-policy/
+    config.csp = false
+
+    # https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions
+    config.x_download_options = false
+end
+
author	Louise Crow <louise.crow@gmail.com>	2014-11-18 16:18:31 +0000
committer	Louise Crow <louise.crow@gmail.com>	2014-12-05 15:57:18 +0000
commit	72fcd18521d4b65b391310e758d5f8a2cb677950 (patch)
tree	f83504c0c0013c0d54d50cf0ad78ae09243d5269 /config/initializers/secure_headers.rb
parent	7a7899bf8ad3e89f59b956ef74d1d44271396328 (diff)