From d846fdad39ee0b4d43fc95d607deba7028ee2b5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javi=20Mart=C3=ADn?= Date: Thu, 28 Mar 2024 22:00:46 +0100 Subject: [PATCH] Use the new default headers The only change between these headers and the ones sent by Rails 6.1 application is that now the `X-XSS-Protection` header is set to zero. As mentioned in the pull request introducing the change [1]: > This header has been deprecated and the XSS auditor it triggered has > been removed from all major modern browsers (in favour of Content > Security Policy) that implemented this header to begin with (Firefox > never did). [1] Pull request 41769 in https://github.com/rails/rails --- .../initializers/new_framework_defaults_7_0.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/config/initializers/new_framework_defaults_7_0.rb b/config/initializers/new_framework_defaults_7_0.rb index 55906df86..723b20904 100644 --- a/config/initializers/new_framework_defaults_7_0.rb +++ b/config/initializers/new_framework_defaults_7_0.rb @@ -83,14 +83,14 @@ Rails.application.config.action_controller.wrap_parameters_by_default = true Rails.application.config.active_support.use_rfc4122_namespaced_uuids = true # Change the default headers to disable browsers' flawed legacy XSS protection. -# Rails.application.config.action_dispatch.default_headers = { -# "X-Frame-Options" => "SAMEORIGIN", -# "X-XSS-Protection" => "0", -# "X-Content-Type-Options" => "nosniff", -# "X-Download-Options" => "noopen", -# "X-Permitted-Cross-Domain-Policies" => "none", -# "Referrer-Policy" => "strict-origin-when-cross-origin" -# } +Rails.application.config.action_dispatch.default_headers = { + "X-Frame-Options" => "SAMEORIGIN", + "X-XSS-Protection" => "0", + "X-Content-Type-Options" => "nosniff", + "X-Download-Options" => "noopen", + "X-Permitted-Cross-Domain-Policies" => "none", + "Referrer-Policy" => "strict-origin-when-cross-origin" +} # ** Please read carefully, this must be configured in config/application.rb **