security_headers.rb revision 1974ebd587f6c126ffe11829f944d7c10c667d98
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa::SecureHeaders::Configuration.default do |config|
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa config.hsts = 'max_age=99; include_subdomains=true'
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger config.x_frame_options = 'DENY'
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa config.x_content_type_options = 'nosniff'
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa config.x_xss_protection = '1; mode=block'
52f48599c05f6b3385a2ac8e04ec96cbe7bb4f39henning mueller # By default, load resources only from own origin.
52f48599c05f6b3385a2ac8e04ec96cbe7bb4f39henning mueller # For CSS, allow styles from style elements and attributes for GWT.
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger config.csp = {
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa default_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa style_src: %w('self' 'unsafe-inline'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa script_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa frame_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa img_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa connect_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa font_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa media_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa object_src: %w('self'),
1974ebd587f6c126ffe11829f944d7c10c667d98Eugen Kuksa child_src: %w('self'),
b049c4f1eb105fffb64f9c614c54e95137875dbaJulian Kornberger disable_chrome_extension: true,
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger }
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornbergerend