config/initializers/security_headers.rb

	security_headers.rb revision 450c425d47cb4ff346c009bf6193057cee85fcc6
353N/A::SecureHeaders::Configuration.default do |config|
353N/A  config.hsts                   = 'max-age=99; includeSubdomains'
353N/A  config.x_frame_options        = 'DENY'
353N/A  config.x_content_type_options = 'nosniff'
353N/A  config.x_xss_protection       = '1; mode=block'
353N/A  # By default, load resources only from own origin.
353N/A  # For CSS, allow styles from style elements and attributes for GWT.
353N/A  config.csp                    = {
353N/A    default_src: %w('self'),
353N/A    style_src:   %w('self' 'unsafe-inline'),
353N/A    script_src: %w('self'),
353N/A    frame_src: %w('self'),
353N/A    img_src: %w('self'),
353N/A    connect_src: %w('self'),
353N/A    font_src: %w('self'),
353N/A    media_src: %w('self'),
353N/A    object_src: %w('self'),
353N/A    child_src: %w('self'),
353N/A  }
353N/Aend
353N/A