this gem adds more security related headers to the response for a rails3 application. mainly inspired by google-gets-a-1-for-browser-security and HttpCaching. and Clickjacking

the extra headers are

  • x-frame headers
  • x-content-type headers
  • x-xss-protection headers
  • caching headers

the main idea is to set the default as strict as possible and the application might relax the setup here and there.

rails configuration

in config/application.rb or in one of the config/environments/*rb files or in an initializer. all three x-headers can be configured here, for example

config.x_content_type_headers = :nosniff

controller configuration

just add in your controller something like

x_xss_protection :block

option for each render, send_file, send_data methods

an example for an inline render

render :inline => 'behappy', :x_frame_headers => :deny

possible values

  • x_frame_headers : :deny, :sameorigin, :off default :deny

  • x_content_type_headers : :nosniff, :off default :nosniff

  • x_xss_protection_headers : :block, :disabled, :off default :block

cache headers

the cache headers needs to have a current_user, i.e. the current_user method of the controller needs to return a non-nil value. further the the method needs to :get and the response status an "ok" status,

then you can use the controller configuration or the options with render, send_file and send_data.

possible values

def my_headers
    no_store = false