Merge pull request #58 from elijh/bugfix/security

fix misc security related bugs
author: jessib <jessib@riseup.net> 2013-07-15 10:33:13 -0700
committer: jessib <jessib@riseup.net> 2013-07-15 10:33:13 -0700
commit: bf5922d26e27ee9695b07eade42d36a34b63fc4e (patch)
tree: 1bba41b4d5b4ba59966012f9171c01817a332bc0 /app/controllers/application_controller.rb
parent: cc32ad53286c2c03c88cb55713565c2930796024 (diff)
parent: 673c1af5e90a925e00fe6ad7847583a1ddd53ad0 (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 62d9df2..9734a33 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,5 +1,7 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
+  before_filter :no_cache_header
+  before_filter :no_frame_header
 
   ActiveSupport.run_load_hooks(:application_controller, self)
 
@@ -15,4 +17,20 @@ class ApplicationController < ActionController::Base
   end
   helper_method :bold
 
+  #
+  # we want to prevent the browser from caching anything, just to be safe.
+  #
+  def no_cache_header
+    response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
+    response.headers["Pragma"] = "no-cache"
+    response.headers["Expires"] = "0"
+  end
+
+  #
+  # prevent app from being embedded in an iframe, for browsers that support x-frame-options.
+  #
+  def no_frame_header
+    response.headers["X-Frame-Options"] = "DENY"
+  end
+
 end
author	jessib <jessib@riseup.net>	2013-07-15 10:33:13 -0700
committer	jessib <jessib@riseup.net>	2013-07-15 10:33:13 -0700
commit	bf5922d26e27ee9695b07eade42d36a34b63fc4e (patch)
tree	1bba41b4d5b4ba59966012f9171c01817a332bc0 /app/controllers/application_controller.rb
parent	cc32ad53286c2c03c88cb55713565c2930796024 (diff)
parent	673c1af5e90a925e00fe6ad7847583a1ddd53ad0 (diff)