Merge branch 'owasp-fixes' into rails-3-develop

author: Louise Crow <louise.crow@gmail.com> 2014-12-09 12:53:07 +0000
committer: Louise Crow <louise.crow@gmail.com> 2014-12-09 12:53:07 +0000
commit: 89a1999479e1da7ab78e48d23fddb3b14ebbb40e (patch)
tree: 46b3e7a782a397524a0b1dc62d7403371e142ebc /config/initializers/secure_headers.rb
parent: 8d633f37bed60871fc59312dd436fb3ff7b6e37c (diff)
parent: 9f5f602fbb38a32619dad93464c1ab263b1a66d7 (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
new file mode 100644
index 000000000..99730e6b2
--- /dev/null
+++ b/config/initializers/secure_headers.rb
@@ -0,0 +1,24 @@
+::SecureHeaders::Configuration.configure do |config|
+
+    # https://tools.ietf.org/html/rfc6797
+    if AlaveteliConfiguration::force_ssl
+        config.hsts = { :max_age => 20.years.to_i, :include_subdomains => true }
+    else
+        config.hsts = false
+    end
+    # https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02
+    config.x_frame_options = "sameorigin"
+
+    # http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
+    config.x_content_type_options = "nosniff"
+
+    # http://msdn.microsoft.com/en-us/library/dd565647%28v=vs.85%29.aspx
+    config.x_xss_protection = { :value => 1 }
+
+    # https://w3c.github.io/webappsec/specs/content-security-policy/
+    config.csp = false
+
+    # https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions
+    config.x_download_options = false
+end
+
author	Louise Crow <louise.crow@gmail.com>	2014-12-09 12:53:07 +0000
committer	Louise Crow <louise.crow@gmail.com>	2014-12-09 12:53:07 +0000
commit	89a1999479e1da7ab78e48d23fddb3b14ebbb40e (patch)
tree	46b3e7a782a397524a0b1dc62d7403371e142ebc /config/initializers/secure_headers.rb
parent	8d633f37bed60871fc59312dd436fb3ff7b6e37c (diff)
parent	9f5f602fbb38a32619dad93464c1ab263b1a66d7 (diff)