pfischbeck/projekteuler
1
0
Fork 0
mirror of https://github.com/projekteuler/projekteuler.git synced 2026-01-26 18:18:51 +01:00
Code Issues Releases Wiki Activity

Improve security: HSTS, Force SSL, CSP

Browse Source
This commit is contained in:
Philipp Fischbeck
2019-03-17 10:55:09 +01:00
parent 51f985830a
commit a5dc6c2532
8 changed files with 34 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/application.rb
View File

@@ -16,6 +16,10 @@ module Projekteuler
# -- all .rb files in that directory are automatically loaded after loading
# the framework and any gems in your application.
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'DENY'
}
# Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
# Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
# config.time_zone = 'Central Time (US & Canada)'

2
config/environments/production.rb
View File

@@ -47,7 +47,7 @@ Rails.application.configure do
# config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true
config.force_ssl = true
# Use the lowest log level to ensure availability of diagnostic information
# when problems arise.

21
config/initializers/content_security_policy.rb
View File

@@ -4,17 +4,18 @@
# For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# Rails.application.config.content_security_policy do |policy|
# policy.default_src :self, :https
# policy.font_src :self, :https, :data
# policy.img_src :self, :https, :data
# policy.object_src :none
# policy.script_src :self, :https
# policy.style_src :self, :https
Rails.application.config.content_security_policy do |policy|
policy.default_src :none
policy.font_src :self, 'https://cdnjs.cloudflare.com'
policy.img_src :self, 'https://cdnjs.cloudflare.com', 'https://projecteuler.net'
policy.object_src :none
policy.script_src :self, 'https://cdnjs.cloudflare.com'
policy.style_src :self, :unsafe_inline
policy.connect_src :self
# # Specify URI for violation reports
# # policy.report_uri "/csp-violation-report-endpoint"
# end
# Specify URI for violation reports
# policy.report_uri "/csp-violation-report-endpoint"
end
# If you are using UJS then enable automatic nonce generation
# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }