Use the new default headers

The only change between these headers and the ones sent by Rails 6.1 application is that now the `X-XSS-Protection` header is set to zero. As mentioned in the pull request introducing the change [1]: > This header has been deprecated and the XSS auditor it triggered has > been removed from all major modern browsers (in favour of Content > Security Policy) that implemented this header to begin with (Firefox > never did). [1] Pull request 41769 in https://github.com/rails/rails
2024-03-28 22:00:46 +01:00
parent 47331061a8
commit d846fdad39
1 changed files with 8 additions and 8 deletions
--- a/config/initializers/new_framework_defaults_7_0.rb
+++ b/config/initializers/new_framework_defaults_7_0.rb
@@ -83,14 +83,14 @@ Rails.application.config.action_controller.wrap_parameters_by_default = true
 Rails.application.config.active_support.use_rfc4122_namespaced_uuids = true

 # Change the default headers to disable browsers' flawed legacy XSS protection.
-# Rails.application.config.action_dispatch.default_headers = {
-#   "X-Frame-Options" => "SAMEORIGIN",
-#   "X-XSS-Protection" => "0",
-#   "X-Content-Type-Options" => "nosniff",
-#   "X-Download-Options" => "noopen",
-#   "X-Permitted-Cross-Domain-Policies" => "none",
-#   "Referrer-Policy" => "strict-origin-when-cross-origin"
-# }
+Rails.application.config.action_dispatch.default_headers = {
+  "X-Frame-Options" => "SAMEORIGIN",
+  "X-XSS-Protection" => "0",
+  "X-Content-Type-Options" => "nosniff",
+  "X-Download-Options" => "noopen",
+  "X-Permitted-Cross-Domain-Policies" => "none",
+  "Referrer-Policy" => "strict-origin-when-cross-origin"
+}


 # ** Please read carefully, this must be configured in config/application.rb **