Ixtlan

this gem adds more security related headers to the response for a rails3 application. mainly inspired by google-gets-a-1-for-browser-security and HttpCaching. and Clickjacking

the extra headers are

• x-frame headers
• x-content-type headers
• x-xss-protection headers
• caching headers

the main idea is to set the default as strict as possible and the application might relax the setup here and there.

in config/application.rb or in one of the config/environments/*rb files or in an initializer. all three x-headers can be configured here, for example

config.x_content_type_headers = :nosniff

just add in your controller something like

x_xss_protection :block

an example for an inline render

render :inline => 'behappy', :x_frame_headers => :deny

• x_frame_headers : :deny, :sameorigin, :off default :deny

• x_content_type_headers : :nosniff, :off default :nosniff

• x_xss_protection_headers : :block, :disabled, :off default :block

the cache headers needs to have a current_user, i.e. the current_user method of the controller needs to return a non-nil value. further the the method needs to :get and the response status an "ok" status,

then you can use the controller configuration or the options with render, send_file and send_data.

• :private : which tells not to cache or store any data except the browser memory: no caching

• :protected : no caching but the browser: Only the end user's browser is allowed to cache

• :public : caching is allowed: Both browser and proxy allowed to cache

• :my_headers : custom header method like

def my_headers

    no_store = false
    no_caching(no_store)
  end