Default headers - Rails

• Every HTTP response from your Rails application receives the following default security headers.

config.**action_dispatch**.**default_headers** **=** {
  'X-Frame-Options' **=>** 'SAMEORIGIN',
  'X-XSS-Protection' **=>** '1; mode=block',
  'X-Content-Type-Options' **=>** 'nosniff',
  'X-Download-Options' **=>** 'noopen',
  'X-Permitted-Cross-Domain-Policies' **=>** 'none',
  'Referrer-Policy' **=>** 'strict-origin-when-cross-origin'
}

You can configure default headers in config/application.rb.

config.**action_dispatch**.**default_headers** **=** {
  'Header-Name' **=>** 'Header-Value',
  'X-Frame-Options' **=>** 'DENY'
}

Or you can remove them.

config.**action_dispatch**.**default_headers**.**clear**

Here is a list of common headers:

• X-Frame-Options: *SAMEORIGIN in Rails by default* - allow framing on same domain. Set it to 'DENY' to deny framing at all or remove this header completely if you want to allow framing on all websites.

• X-XSS-Protection: *1; mode=block in Rails by default* - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters)

• X-Content-Type-Options: *nosniff in Rails by default* - stops the browser from guessing the MIME type of a file. Due to time constraints, I can't show how these headers work as I can explain one header for 15 minutes in a video itself. Do some research and read about these headers and how they work out, similar to what we did for CSRF countermeasures in rails and took a deep dive at how the fix is implemented. I can only show these things and it is upto you to actually deep dive and read up more about them. I'll be leaving some links to useful resources which you can read and learn more about these headers.

• X-Content-Security-Policy: A powerful mechanism for controlling which sites certain content types can be loaded from

• Access-Control-Allow-Origin: Used to control which sites are allowed to bypass same origin policies and send cross-origin requests.

• Strict-Transport-Security: Used to control if the browser is allowed to only access a site over a secure connection

• I'll add some websites in the resources section which you can check for some blogs which explain how to secure your application's response headers and mitigate some security vulnerabilities in the headers itself.