From fa7f578ba46233be1fa89f6981a68892a5b2103d Mon Sep 17 00:00:00 2001 From: Mo Bitar Date: Mon, 21 Oct 2019 16:11:49 -0500 Subject: [PATCH] Security headers --- config/application.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/application.rb b/config/application.rb index b51515e88..9a0fd93e4 100644 --- a/config/application.rb +++ b/config/application.rb @@ -29,7 +29,10 @@ module StandardNotes } SecureHeaders::Configuration.default do |config| - config.x_frame_options = "ALLOWALL" + config.x_frame_options = "SAMEORIGIN" + config.x_content_type_options = "nosniff" + config.x_xss_protection = "1; mode=block" + config.hsts = "max-age=#{1.week.to_i}" config.csp = { # "meta" values. these will shape the header, but the values are not included in the header. preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.