0.0
No commit activity in last 3 years
No release in over 3 years
cache header control, dynamic configuration, and optimistic find on model via updated_at timestamp
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

= 0.9.4
= 3.0.9
= 2.6.0
= 3.0.4.0.29.0
~> 0.4.2
 Project Readme

Ixtlan

this gem adds more security related headers to the response for a rails3 application. mainly inspired by google-gets-a-1-for-browser-security and HttpCaching. and Clickjacking

the extra headers are

  • x-frame headers
  • x-content-type headers
  • x-xss-protection headers
  • caching headers

the main idea is to set the default as strict as possible and the application might relax the setup here and there.

rails configuration

in config/application.rb or in one of the config/environments/*rb files or in an initializer. all three x-headers can be configured here, for example

config.x_content_type_headers = :nosniff

controller configuration

just add in your controller something like

x_xss_protection :block

option for each render, send_file, send_data methods

an example for an inline render

render :inline => 'behappy', :x_frame_headers => :deny

possible values

  • x_frame_headers : :deny, :sameorigin, :off default :deny

  • x_content_type_headers : :nosniff, :off default :nosniff

  • x_xss_protection_headers : :block, :disabled, :off default :block

cache headers

the cache headers needs to have a current_user, i.e. the current_user method of the controller needs to return a non-nil value. further the the method needs to :get and the response status an "ok" status,

then you can use the controller configuration or the options with render, send_file and send_data.

possible values

def my_headers
    no_store = false
    no_caching(no_store)
  end