config/initializers/security_headers.rb

1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa::SecureHeaders::Configuration.default do |config|
450c425d47cb4ff346c009bf6193057cee85fcc6Eugen Kuksa  config.hsts                   = 'max-age=99; includeSubdomains'
b6f6bbaf12eb24f08dcba6e01214645ea240e8edTom Gehrke  config.x_frame_options        = 'SAMEORIGIN'
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa  config.x_content_type_options = 'nosniff'
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa  config.x_xss_protection       = '1; mode=block'
0c6ce6e1864f25f9832d6e7499a3d7457bfbc622Eugen Kuksa
0c6ce6e1864f25f9832d6e7499a3d7457bfbc622Eugen Kuksa  config.cookies = {
0c6ce6e1864f25f9832d6e7499a3d7457bfbc622Eugen Kuksa    secure: true,
0c6ce6e1864f25f9832d6e7499a3d7457bfbc622Eugen Kuksa    httponly: false,
0c6ce6e1864f25f9832d6e7499a3d7457bfbc622Eugen Kuksa    samesite: {
0c6ce6e1864f25f9832d6e7499a3d7457bfbc622Eugen Kuksa      strict: true,
0c6ce6e1864f25f9832d6e7499a3d7457bfbc622Eugen Kuksa    },
0c6ce6e1864f25f9832d6e7499a3d7457bfbc622Eugen Kuksa  }
0c6ce6e1864f25f9832d6e7499a3d7457bfbc622Eugen Kuksa
52f48599c05f6b3385a2ac8e04ec96cbe7bb4f39henning mueller  # By default, load resources only from own origin.
52f48599c05f6b3385a2ac8e04ec96cbe7bb4f39henning mueller  # For CSS, allow styles from style elements and attributes for GWT.
0c6ce6e1864f25f9832d6e7499a3d7457bfbc622Eugen Kuksa  config.csp = {
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa    default_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa    style_src:   %w('self' 'unsafe-inline'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa    script_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa    img_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa    connect_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa    font_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa    media_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa    object_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa    child_src: %w('self'),
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger  }
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornbergerend