config/initializers/secure_headers.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

::SecureHeaders::Configuration.configure do |config|

    # https://tools.ietf.org/html/rfc6797
    if AlaveteliConfiguration::force_ssl
        config.hsts = { :max_age => 20.years.to_i, :include_subdomains => true }
    else
        config.hsts = false
    end
    # https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02
    config.x_frame_options = "sameorigin"

    # http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
    config.x_content_type_options = "nosniff"

    # http://msdn.microsoft.com/en-us/library/dd565647%28v=vs.85%29.aspx
    config.x_xss_protection = { :value => 1 }

    # https://w3c.github.io/webappsec/specs/content-security-policy/
    config.csp = false

    # https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions
    config.x_download_options = false
end