LoginSignup
18
16

More than 5 years have passed since last update.

@yaotti(海野 弘成)

レスポンスヘッダーに X-Content-Type-Options: nosniff を追加する

Posted at

railsのedgeではデフォルトで入る(config.action_dispatch.default_headersに入れられる)が安定版(3.2.8)にはまだ入っていないので,暫定対応. https://github.com/rails/rails/pull/7390

configでデフォルトヘッダーを設定する方法がないためApplicationControllerのfilterでやるしかない?汚い…

application_controller.rb
class ApplicationController < ActionController::Base
  after_filter :set_default_headers
  private
  DEFAULT_HEADERS = {
      'X-Frame-Options' => 'SAMEORIGIN',
      'X-XSS-Protection' => '1; mode=block',
      'X-Content-Type-Options' => 'nosniff'
  }.freeze

  def set_default_headers
    DEFAULT_HEADERS.each_pair do |key, val|
      response.headers[key] = val
    end
  end
end
18
16
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
18
16