cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Switch to rails 7 default headers

Browse source 
These are basically all the same as what secure_headers
was already setting for us anyway.
This commit is contained in:
Tom Hughes 2022-02-22 19:12:09 +00:00
parent fe79965869
commit 5b3edb8075
1 changed files with 8 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

16
config/initializers/new_framework_defaults_7_0.rb
View file

@ -107,11 +107,11 @@ Rails.application.config.action_controller.wrap_parameters_by_default = true
Rails.application.config.active_support.use_rfc4122_namespaced_uuids = true
# Change the default headers to disable browsers' flawed legacy XSS protection.
# Rails.application.config.action_dispatch.default_headers = {
# "X-Frame-Options" => "SAMEORIGIN",
# "X-XSS-Protection" => "0",
# "X-Content-Type-Options" => "nosniff",
# "X-Download-Options" => "noopen",
# "X-Permitted-Cross-Domain-Policies" => "none",
# "Referrer-Policy" => "strict-origin-when-cross-origin"
# }
Rails.application.config.action_dispatch.default_headers = {
"X-Frame-Options" => "SAMEORIGIN",
"X-XSS-Protection" => "0",
"X-Content-Type-Options" => "nosniff",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none",
"Referrer-Policy" => "strict-origin-when-cross-origin"
}