From e7ee261680e42e99d7a5ee2e91987bf92d99b3a4 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 11 Jul 2013 17:51:11 -0700 Subject: set no-cache headers in the response --- app/controllers/application_controller.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'app/controllers') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 62d9df2..65d4861 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,5 +1,6 @@ class ApplicationController < ActionController::Base protect_from_forgery + before_filter :no_cache_header ActiveSupport.run_load_hooks(:application_controller, self) @@ -15,4 +16,13 @@ class ApplicationController < ActionController::Base end helper_method :bold + # + # we want to prevent the browser from caching anything, just to be safe. + # + def no_cache_header + response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate" + response.headers["Pragma"] = "no-cache" + response.headers["Expires"] = "0" + end + end -- cgit v1.2.3 From 123babecf44ac0c075337d8d2108019c46b5c9a7 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 11 Jul 2013 17:55:31 -0700 Subject: add header to prevent iframes --- app/controllers/application_controller.rb | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'app/controllers') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 65d4861..9734a33 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,6 +1,7 @@ class ApplicationController < ActionController::Base protect_from_forgery before_filter :no_cache_header + before_filter :no_frame_header ActiveSupport.run_load_hooks(:application_controller, self) @@ -25,4 +26,11 @@ class ApplicationController < ActionController::Base response.headers["Expires"] = "0" end + # + # prevent app from being embedded in an iframe, for browsers that support x-frame-options. + # + def no_frame_header + response.headers["X-Frame-Options"] = "DENY" + end + end -- cgit v1.2.3