mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Small fixes [ci skip]
This commit is contained in:
parent
eb73110135
commit
81cec09aac
1 changed files with 6 additions and 12 deletions
|
@ -1014,18 +1014,12 @@ config.action_dispatch.default_headers.clear
|
|||
|
||||
Here is a list of common headers:
|
||||
|
||||
* X-Frame-Options
|
||||
_'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.
|
||||
* X-XSS-Protection
|
||||
_'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters)
|
||||
* X-Content-Type-Options
|
||||
_'nosniff' in Rails by default_ - stops the browser from guessing the MIME type of a file.
|
||||
* X-Content-Security-Policy
|
||||
[A powerful mechanism for controlling which sites certain content types can be loaded from](http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html)
|
||||
* Access-Control-Allow-Origin
|
||||
Used to control which sites are allowed to bypass same origin policies and send cross-origin requests.
|
||||
* Strict-Transport-Security
|
||||
[Used to control if the browser is allowed to only access a site over a secure connection](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
|
||||
* X-Frame-Options - _'SAMEORIGIN' in Rails by default_ - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.
|
||||
* X-XSS-Protection - _'1; mode=block' in Rails by default_ - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters)
|
||||
* X-Content-Type-Options - _'nosniff' in Rails by default_ - stops the browser from guessing the MIME type of a file.
|
||||
* X-Content-Security-Policy - [A powerful mechanism for controlling which sites certain content types can be loaded from](http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html)
|
||||
* Access-Control-Allow-Origin - Used to control which sites are allowed to bypass same origin policies and send cross-origin requests.
|
||||
* Strict-Transport-Security - [Used to control if the browser is allowed to only access a site over a secure connection](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
|
||||
|
||||
Environmental Security
|
||||
----------------------
|
||||
|
|
Loading…
Reference in a new issue