HTTP headers protect against MIME-sniffing, force https if enabled.

2013-12-30 09:41:05 +01:00 · 2013-12-30 09:41:05 +01:00 · 94c96cd445
parent e2dbe0fad7
commit 94c96cd445
2 changed files with 3 additions and 0 deletions
--- a/1
+++ b/1
@ -8,6 +8,7 @@ v 6.5.0
  - Add project visibility icons to dashboard
  - Enable secure cookies if https used
  - Protect users/confirmation with rack_attack
+  - Default HTTP headers to protect against MIME-sniffing, force https if enabled

 v6.4.3
  - Don't use unicorn worker killer if PhusionPassenger is defined
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -161,6 +161,8 @@ class ApplicationController < ActionController::Base
    headers['X-Frame-Options'] = 'DENY'
    headers['X-XSS-Protection'] = '1; mode=block'
    headers['X-UA-Compatible'] = 'IE=edge'
+    headers['X-Content-Type-Options'] = 'nosniff'
+    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' if Gitlab.config.gitlab.https
  end

  def add_gon_variables