rmorawski/standardnotes-app-web
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
98fc870d761b50dadc00ebb4e41abba987bbcfb0
standardnotes-app-web/packages/web-server/config/application.rb

72 lines
2.7 KiB
Ruby
Raw Blame History

require_relative 'boot'
require "active_model/railtie"
require "action_controller/railtie"
require "action_mailer/railtie"
require "action_view/railtie"
require "active_job/railtie" # Only for Rails >= 4.2
require "action_cable/engine" # Only for Rails >= 5.0
require "sprockets/railtie"
require "rails/test_unit/railtie"
# Require the gems listed in Gemfile, including any gems
# you've limited to :test, :development, or :production.
Bundler.require(*Rails.groups)
module Web
class Application < Rails::Application
# Cross-Origin Resource Sharing (CORS) for Rack compatible web applications.
config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '*', :headers => :any, :methods => [:get, :post, :put, :patch, :delete, :options], :expose => ['Access-Token', 'Client', 'UID']
end
end
SecureHeaders::Configuration.default do |config|
# Handled by server
config.x_frame_options = SecureHeaders::OPT_OUT
config.x_content_type_options = SecureHeaders::OPT_OUT
config.x_xss_protection = SecureHeaders::OPT_OUT
config.hsts = SecureHeaders::OPT_OUT
config.csp = {
# "meta" values. these will shape the header, but the values are not included in the header.
preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
# directive values: these values will directly translate into source directives
default_src: %w(https: 'self'),
base_uri: %w('self'),
block_all_mixed_content: false, # see http://www.w3.org/TR/mixed-content/
child_src: ["*", "blob:"],
frame_src: ["*", "blob:"],
connect_src: ["*", 'data:'],
font_src: ['*', "'self'", 'data:'],
form_action: %w('self'),
frame_ancestors: ["*", "*.standardnotes.com", "*.standardnotes.org"],
img_src: ["'self'", '* data:', 'blob:'],
manifest_src: %w('self'),
media_src: %w('self' blob: *.standardnotes.com),
object_src: %w('self' blob: *.standardnotes.com),
plugin_types: %w(),
script_src: %w('self' 'unsafe-inline' 'unsafe-eval'),
style_src: %w(* 'unsafe-inline'),
upgrade_insecure_requests: false, # see https://www.w3.org/TR/upgrade-insecure-requests/
}
end
config.middleware.insert_before(Rack::Sendfile, Rack::Deflater)
# Disable auto creation of additional resources with "rails generate"
config.generators do |g|
g.test_framework false
g.view_specs false
g.helper_specs false
g.stylesheets = false
g.javascripts = false
g.helper = false
end
config.action_mailer.default_url_options = { host: ENV['APP_HOST'] }
end
end
Reference in New Issue View Git Blame Copy Permalink