HTTP headers protect against MIME-sniffing, force https if enabled.

author Marin Jankovski <marin@gitlab.com>

Mon, 30 Dec 2013 08:41:05 +0000 (09:41 +0100)

committer Marin Jankovski <marin@gitlab.com>

Mon, 30 Dec 2013 08:41:05 +0000 (09:41 +0100)
author Marin Jankovski <marin@gitlab.com>
Mon, 30 Dec 2013 08:41:05 +0000 (09:41 +0100)
committer Marin Jankovski <marin@gitlab.com>
Mon, 30 Dec 2013 08:41:05 +0000 (09:41 +0100)
diff --git a/CHANGELOG b/CHANGELOG

index 01dbcc3..25f10c1 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,6 +8,7 @@ v 6.5.0
    - Add project visibility icons to dashboard
    - Enable secure cookies if https used
    - Protect users/confirmation with rack_attack
+  - Default HTTP headers to protect against MIME-sniffing, force https if enabled
  
  v6.4.3
    - Don't use unicorn worker killer if PhusionPassenger is defined
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index 0e714db..cf14cd9 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -161,6 +161,8 @@ class ApplicationController < ActionController::Base
      headers['X-Frame-Options'] = 'DENY'
      headers['X-XSS-Protection'] = '1; mode=block'
      headers['X-UA-Compatible'] = 'IE=edge'
+    headers['X-Content-Type-Options'] = 'nosniff'
+    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' if Gitlab.config.gitlab.https
    end
  
    def add_gon_variables
author	Marin Jankovski <marin@gitlab.com>
	Mon, 30 Dec 2013 08:41:05 +0000 (09:41 +0100)
committer	Marin Jankovski <marin@gitlab.com>
	Mon, 30 Dec 2013 08:41:05 +0000 (09:41 +0100)
CHANGELOG		patch \| blob \| history
app/controllers/application_controller.rb		patch \| blob \| history