Commit 85de55a120a615f8cf51a343a89789b802d776e2
1 parent
fac50387
Exists in
master
and in
4 other branches
Dont allow gitlab be loaded in iframe
Showing
1 changed file
with
5 additions
and
0 deletions
Show diff stats
app/controllers/application_controller.rb
| @@ -4,6 +4,7 @@ class ApplicationController < ActionController::Base | @@ -4,6 +4,7 @@ class ApplicationController < ActionController::Base | ||
| 4 | before_filter :set_current_user_for_observers | 4 | before_filter :set_current_user_for_observers |
| 5 | before_filter :add_abilities | 5 | before_filter :add_abilities |
| 6 | before_filter :dev_tools if Rails.env == 'development' | 6 | before_filter :dev_tools if Rails.env == 'development' |
| 7 | + before_filter :default_headers | ||
| 7 | 8 | ||
| 8 | protect_from_forgery | 9 | protect_from_forgery |
| 9 | 10 | ||
| @@ -148,4 +149,8 @@ class ApplicationController < ActionController::Base | @@ -148,4 +149,8 @@ class ApplicationController < ActionController::Base | ||
| 148 | Rack::MiniProfiler.authorize_request | 149 | Rack::MiniProfiler.authorize_request |
| 149 | end | 150 | end |
| 150 | 151 | ||
| 152 | + def default_headers | ||
| 153 | + headers['X-Frame-Options'] = 'DENY' | ||
| 154 | + headers['X-XSS-Protection'] = '1; mode=block' | ||
| 155 | + end | ||
| 151 | end | 156 | end |