HTTP headers protect against MIME-sniffing, force https if enabled.

94c96cd4 · Marin Jankovski · e2dbe0fa · 94c96cd4 · 94c96cd4
Commit 94c96cd4 authored Dec 30, 2013 by Marin Jankovski
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

CHANGELOG CHANGELOG +1 -0

app/controllers/application_controller.rb app/controllers/application_controller.rb +2 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,6 +8,7 @@ v 6.5.0
  - Add project visibility icons to dashboard
  - Enable secure cookies if https used
  - Protect users/confirmation with rack_attack
+  - Default HTTP headers to protect against MIME-sniffing, force https if enabled

 v6.4.3
  - Don't use unicorn worker killer if PhusionPassenger is defined

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -161,6 +161,8 @@ class ApplicationController < ActionController::Base
    headers['X-Frame-Options'] = 'DENY'
    headers['X-XSS-Protection'] = '1; mode=block'
    headers['X-UA-Compatible'] = 'IE=edge'
+    headers['X-Content-Type-Options'] = 'nosniff'
+    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' if Gitlab.config.gitlab.https
  end

  def add_gon_variables