Copy link

Contributor

rafaelfranca commented on Mar 26

👍🏽 this make sense for all new apps but existing apps should decide if they want to change the value or not. So I think we should introduce the new value behind a configuration flag that is default in Rails 7.0 but for any other Rails version we keep the behavior and ask people to change the config to match Rials 7.0 in the new_frameworks_default file. Can you change your PR to reflect that plan?

csutter commented on Mar 29

@rafaelfranca Thanks for the feedback! I've updated the change to be a defaults change instead, starting at 7.0.

I've considered having a specific configuration flag for this change, but that felt a bit strange – we'd have to start merging things into the default default_headers hash, and if users set their own hash we wouldn't want to override it. So I've made it set a new default for the whole hash.

This way we could maybe also add some additional headers/change existing headers for Rails 7.0 to reflect current best practice, and do it all in one go?

rails-bot bot commented on Jun 27

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Thank you for your contributions.

zzak commented on Jun 29

@csutter Could you rebase please?

Also, copying the important part from that page since the link doesn't go directly to it for those curious:

X-XSS-Protection: Deprecated.

Warning: The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. As such, it is recommended to set the header as X-XSS-Protection: 0 in order to disable the XSS Auditor, and not allow it to take the default behavior of the browser handling the response. Please use Content-Security-Policy instead.

csutter commented on Sep 14

@rafaelfranca @zzak I've given this another rebase - would love to see it make it into 7.0!