config/initializers/security_headers.rb

	security_headers.rb revision 52f48599c05f6b3385a2ac8e04ec96cbe7bb4f39
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger::SecureHeaders::Configuration.configure do |config|
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger  config.hsts                   = {:max_age => 99, :include_subdomains => true}
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger  config.x_frame_options        = 'DENY'
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger  config.x_content_type_options = "nosniff"
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger  config.x_xss_protection       = {:value => 1, :mode => false}
52f48599c05f6b3385a2ac8e04ec96cbe7bb4f39henning mueller  # By default, load resources only from own origin.
52f48599c05f6b3385a2ac8e04ec96cbe7bb4f39henning mueller  # For CSS, allow styles from style elements and attributes for GWT.
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger  config.csp                    = {
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger    default_src: "self",
b049c4f1eb105fffb64f9c614c54e95137875dbaJulian Kornberger    style_src:   "'self' 'unsafe-inline'",
b049c4f1eb105fffb64f9c614c54e95137875dbaJulian Kornberger    disable_chrome_extension: true,
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornberger  }
8441cc0be003fcd6294a1b5b93e1143b5bb82ceaJulian Kornbergerend