HTTP headers protect against MIME-sniffing, force https if enabled.

Marin Jankovski
1 parent e2dbe0fa
Showing 2 changed files with 3 additions and 0 deletions Show diff stats
CHANGELOG
app/controllers/application_controller.rb
@@ -8,6 +8,7 @@ v 6.5.0
   - Add project visibility icons to dashboard
   - Enable secure cookies if https used
   - Protect users/confirmation with rack_attack
+  - Default HTTP headers to protect against MIME-sniffing, force https if enabled
  
 v6.4.3
   - Don't use unicorn worker killer if PhusionPassenger is defined
@@ -161,6 +161,8 @@ class ApplicationController &lt; ActionController::Base
     headers['X-Frame-Options'] = 'DENY'
     headers['X-XSS-Protection'] = '1; mode=block'
     headers['X-UA-Compatible'] = 'IE=edge'
+    headers['X-Content-Type-Options'] = 'nosniff'
+    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' if Gitlab.config.gitlab.https
   end
  
   def add_gon_variables
...	...	@@ -8,6 +8,7 @@ v 6.5.0
8	8	- Add project visibility icons to dashboard
9	9	- Enable secure cookies if https used
10	10	- Protect users/confirmation with rack_attack
	11	+ - Default HTTP headers to protect against MIME-sniffing, force https if enabled
11	12
12	13	v6.4.3
13	14	- Don't use unicorn worker killer if PhusionPassenger is defined
...	...
...	...	@@ -161,6 +161,8 @@ class ApplicationController < ActionController::Base
161	161	headers['X-Frame-Options'] = 'DENY'
162	162	headers['X-XSS-Protection'] = '1; mode=block'
163	163	headers['X-UA-Compatible'] = 'IE=edge'
	164	+ headers['X-Content-Type-Options'] = 'nosniff'
	165	+ headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' if Gitlab.config.gitlab.https
164	166	end
165	167
166	168	def add_gon_variables
...	...