2 files changed, 25 insertions, 0 deletions

diff --git a/config/initializers/alaveteli.rb b/config/initializers/alaveteli.rb
index b0b975e23..077db4757 100644
--- a/config/initializers/alaveteli.rb
+++ b/config/initializers/alaveteli.rb
@@ -56,6 +56,7 @@ require 'public_body_csv'
 require 'category_and_heading_migrator'
 require 'public_body_categories'
 require 'routing_filters'
+require 'alaveteli_text_masker'
 
 AlaveteliLocalization.set_locales(AlaveteliConfiguration::available_locales,
                                   AlaveteliConfiguration::default_locale)
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
new file mode 100644
index 000000000..99730e6b2
--- /dev/null
+++ b/config/initializers/secure_headers.rb
@@ -0,0 +1,24 @@
+::SecureHeaders::Configuration.configure do |config|
+
+    # https://tools.ietf.org/html/rfc6797
+    if AlaveteliConfiguration::force_ssl
+        config.hsts = { :max_age => 20.years.to_i, :include_subdomains => true }
+    else
+        config.hsts = false
+    end
+    # https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02
+    config.x_frame_options = "sameorigin"
+
+    # http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
+    config.x_content_type_options = "nosniff"
+
+    # http://msdn.microsoft.com/en-us/library/dd565647%28v=vs.85%29.aspx
+    config.x_xss_protection = { :value => 1 }
+
+    # https://w3c.github.io/webappsec/specs/content-security-policy/
+    config.csp = false
+
+    # https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions
+    config.x_download_options = false
+end
+