config/initializers/security_headers.rb

	security_headers.rb revision 0c6ce6e1864f25f9832d6e7499a3d7457bfbc622
a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington::SecureHeaders::Configuration.default do |config|
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster  config.hsts                   = 'max-age=99; includeSubdomains'
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster  config.x_frame_options        = 'SAMEORIGIN'
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster  config.x_content_type_options = 'nosniff'
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster  config.x_xss_protection       = '1; mode=block'
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster  config.cookies = {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    secure: true,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    httponly: false,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    samesite: {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster      strict: true,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    },
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster  }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster  # By default, load resources only from own origin.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster  # For CSS, allow styles from style elements and attributes for GWT.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster  config.csp = {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    default_src: %w('self'),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    style_src:   %w('self' 'unsafe-inline'),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    script_src: %w('self'),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    img_src: %w('self'),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    connect_src: %w('self'),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    font_src: %w('self'),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    media_src: %w('self'),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    object_src: %w('self'),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    child_src: %w('self'),
c64331fa7c7a38e49ed3b4194ccdffd41af0ff02Peter Major  }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterend
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster