diff options
author | jessib <jessib@riseup.net> | 2013-07-15 10:33:13 -0700 |
---|---|---|
committer | jessib <jessib@riseup.net> | 2013-07-15 10:33:13 -0700 |
commit | bf5922d26e27ee9695b07eade42d36a34b63fc4e (patch) | |
tree | 1bba41b4d5b4ba59966012f9171c01817a332bc0 /app | |
parent | cc32ad53286c2c03c88cb55713565c2930796024 (diff) | |
parent | 673c1af5e90a925e00fe6ad7847583a1ddd53ad0 (diff) |
Merge pull request #58 from elijh/bugfix/security
fix misc security related bugs
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/application_controller.rb | 18 | ||||
-rw-r--r-- | app/views/layouts/_navigation.html.haml | 2 |
2 files changed, 19 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 62d9df2..9734a33 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,5 +1,7 @@ class ApplicationController < ActionController::Base protect_from_forgery + before_filter :no_cache_header + before_filter :no_frame_header ActiveSupport.run_load_hooks(:application_controller, self) @@ -15,4 +17,20 @@ class ApplicationController < ActionController::Base end helper_method :bold + # + # we want to prevent the browser from caching anything, just to be safe. + # + def no_cache_header + response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate" + response.headers["Pragma"] = "no-cache" + response.headers["Expires"] = "0" + end + + # + # prevent app from being embedded in an iframe, for browsers that support x-frame-options. + # + def no_frame_header + response.headers["X-Frame-Options"] = "DENY" + end + end diff --git a/app/views/layouts/_navigation.html.haml b/app/views/layouts/_navigation.html.haml index b42c1fe..2f79a22 100644 --- a/app/views/layouts/_navigation.html.haml +++ b/app/views/layouts/_navigation.html.haml @@ -2,5 +2,5 @@ = link_to_navigation t(:overview), user_overview_path(@user), :active => controller?(:overviews) = link_to_navigation t(:account_settings), edit_user_path(@user), :active => controller?(:users) = link_to_navigation t(:email_settings), edit_user_email_settings_path(@user), :active => controller?(:email_settings) - = link_to_navigation t(:support_tickets), auto_tickets_path(@user), :active => controller?(:tickets) + = link_to_navigation t(:support_tickets), auto_tickets_path, :active => controller?(:tickets) = link_to_navigation t(:logout), logout_path, :method => :delete |