Commit 94c96cd4458b89e3280fec8cc8ed42a69e063191
1 parent
e2dbe0fa
Exists in
spb-stable
and in
3 other branches
HTTP headers protect against MIME-sniffing, force https if enabled.
Showing
2 changed files
with
3 additions
and
0 deletions
Show diff stats
CHANGELOG
| @@ -8,6 +8,7 @@ v 6.5.0 | @@ -8,6 +8,7 @@ v 6.5.0 | ||
| 8 | - Add project visibility icons to dashboard | 8 | - Add project visibility icons to dashboard |
| 9 | - Enable secure cookies if https used | 9 | - Enable secure cookies if https used |
| 10 | - Protect users/confirmation with rack_attack | 10 | - Protect users/confirmation with rack_attack |
| 11 | + - Default HTTP headers to protect against MIME-sniffing, force https if enabled | ||
| 11 | 12 | ||
| 12 | v6.4.3 | 13 | v6.4.3 |
| 13 | - Don't use unicorn worker killer if PhusionPassenger is defined | 14 | - Don't use unicorn worker killer if PhusionPassenger is defined |
app/controllers/application_controller.rb
| @@ -161,6 +161,8 @@ class ApplicationController < ActionController::Base | @@ -161,6 +161,8 @@ class ApplicationController < ActionController::Base | ||
| 161 | headers['X-Frame-Options'] = 'DENY' | 161 | headers['X-Frame-Options'] = 'DENY' |
| 162 | headers['X-XSS-Protection'] = '1; mode=block' | 162 | headers['X-XSS-Protection'] = '1; mode=block' |
| 163 | headers['X-UA-Compatible'] = 'IE=edge' | 163 | headers['X-UA-Compatible'] = 'IE=edge' |
| 164 | + headers['X-Content-Type-Options'] = 'nosniff' | ||
| 165 | + headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' if Gitlab.config.gitlab.https | ||
| 164 | end | 166 | end |
| 165 | 167 | ||
| 166 | def add_gon_variables | 168 | def add_gon_variables |