Security Tip #1

Security HTTP Headers

lightning talk at #parisrb by @DorianLupu

slides available online :

June 7th 2016


Protection against clickjacking by specifying which website can include your app in an iframe


* SAME-ORIGIN  (default value in Rails)




This turns on the Reflective XSS protection in browsers.


Reflective XSS is a string containing HTML/JavaScript that the user entered on one page and is repeated on the next page, for example after submitting a form.


  • 0 - Disable  
  • 1 - Enable (sanitize) 
  • 1; mode=block - Enables (block) (default Value in Rails)
  • 1; report= - Enable and Report



  • nosniff - prevent browsers from MIME-sniffing a response away from the declared content-type (default Value in Rails)


HTTP Strict Transport Security (HSTS) ensures the browser never visits the HTTP version of a website.


   Strict-Transport-Security: max-age=31536000


 This mitigates man-in-the-middle attacks where TLS can be stripped out.


Primarily, CSP is a set of rules to tell the browser to whitelist all asset sources that are alloswed.


 This will reduce the number of Cross-Site Scripting (XSS) vectors by, for example, allowing only scripts from your domain or disallowing inline scripts


More about that in the next  talk Security Tip #2

Useful links & tools

* - check your security headers

* twitter/secureheaders gem

* - website dedicated to RoR security

Questions ?

Thank you

talk at #parisrb by @DorianLupu

slides available online :

Security Tip #1 - Security Headers

By Dorian Lupu

Security Tip #1 - Security Headers

  • 1,835