Ixtlan
this gem adds more security related headers to the response for a rails3 application. mainly inspired by google-gets-a-1-for-browser-security and HttpCaching. and Clickjacking
the extra headers are
- x-frame headers
- x-content-type headers
- x-xss-protection headers
- caching headers
the main idea is to set the default as strict as possible and the application might relax the setup here and there.
rails configuration
in config/application.rb or in one of the config/environments/*rb files or in an initializer. all three x-headers can be configured here, for example
config.x_content_type_headers = :nosniff
controller configuration
just add in your controller something like
x_xss_protection :block
option for each render, send_file, send_data methods
an example for an inline render
render :inline => 'behappy', :x_frame_headers => :deny
possible values
-
x_frame_headers :
:deny, :sameorigin, :off
default:deny
-
x_content_type_headers :
:nosniff, :off
default:nosniff
-
x_xss_protection_headers :
:block, :disabled, :off
default:block
cache headers
the cache headers needs to have a current_user, i.e. the current_user method of the controller needs to return a non-nil value. further the the method needs to :get
and the response status an "ok" status,
then you can use the controller configuration or the options with render, send_file and send_data.
possible values
-
:private
: which tells not to cache or store any data except the browser memory: no caching -
:protected
: no caching but the browser: Only the end user's browser is allowed to cache -
:public
: caching is allowed: Both browser and proxy allowed to cache -
:my_headers
: custom header method like
def my_headers
no_store = false
no_caching(no_store)
end