Merge branch 'release/0.21'0.21.0.0

Conflicts: locale/cy/app.po locale/es_NI/app.po locale/hr/app.po locale/is_IS/app.po locale/sr@latin/app.po
author: Louise Crow <louise.crow@gmail.com> 2015-03-30 16:00:02 +0100
committer: Louise Crow <louise.crow@gmail.com> 2015-03-30 16:00:02 +0100
commit: f24cc98afa25ad6010ae5316eecc15dfdb3fa79b (patch)
tree: c32fecb16bb2097da7dfdf90e6915fce0bf1a425 /config/initializers/secure_headers.rb
parent: 823e58dc69960c600230b10604a0051359173f85 (diff)
parent: 3c0604cf900ad274d8f6ff421d39854ccbf4b6af (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
new file mode 100644
index 000000000..99730e6b2
--- /dev/null
+++ b/config/initializers/secure_headers.rb
@@ -0,0 +1,24 @@
+::SecureHeaders::Configuration.configure do |config|
+
+    # https://tools.ietf.org/html/rfc6797
+    if AlaveteliConfiguration::force_ssl
+        config.hsts = { :max_age => 20.years.to_i, :include_subdomains => true }
+    else
+        config.hsts = false
+    end
+    # https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02
+    config.x_frame_options = "sameorigin"
+
+    # http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
+    config.x_content_type_options = "nosniff"
+
+    # http://msdn.microsoft.com/en-us/library/dd565647%28v=vs.85%29.aspx
+    config.x_xss_protection = { :value => 1 }
+
+    # https://w3c.github.io/webappsec/specs/content-security-policy/
+    config.csp = false
+
+    # https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions
+    config.x_download_options = false
+end
+
author	Louise Crow <louise.crow@gmail.com>	2015-03-30 16:00:02 +0100
committer	Louise Crow <louise.crow@gmail.com>	2015-03-30 16:00:02 +0100
commit	f24cc98afa25ad6010ae5316eecc15dfdb3fa79b (patch)
tree	c32fecb16bb2097da7dfdf90e6915fce0bf1a425 /config/initializers/secure_headers.rb
parent	823e58dc69960c600230b10604a0051359173f85 (diff)
parent	3c0604cf900ad274d8f6ff421d39854ccbf4b6af (diff)