HTTP headers protect against MIME-sniffing, force https if enabled.

author: Marin Jankovski <marin@gitlab.com> 2013-12-30 09:41:05 +0100
committer: Marin Jankovski <marin@gitlab.com> 2013-12-30 09:41:05 +0100
commit: 94c96cd4458b89e3280fec8cc8ed42a69e063191 (patch)
tree: 86a1b591298643343293c7a5b6761be2715058b4
parent: e2dbe0fad7f04826bde06ae9e8d16ca0bc8a2ce2 (diff)
download: gitlab-ce-94c96cd4458b89e3280fec8cc8ed42a69e063191.tar.gz
2 files changed, 3 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 01dbcc3c688..25f10c15f5f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,6 +8,7 @@ v 6.5.0
   - Add project visibility icons to dashboard
   - Enable secure cookies if https used
   - Protect users/confirmation with rack_attack
+  - Default HTTP headers to protect against MIME-sniffing, force https if enabled
 
 v6.4.3
   - Don't use unicorn worker killer if PhusionPassenger is defined
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 0e714dbfcdf..cf14cd9a1df 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -161,6 +161,8 @@ class ApplicationController < ActionController::Base
     headers['X-Frame-Options'] = 'DENY'
     headers['X-XSS-Protection'] = '1; mode=block'
     headers['X-UA-Compatible'] = 'IE=edge'
+    headers['X-Content-Type-Options'] = 'nosniff'
+    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' if Gitlab.config.gitlab.https
   end
 
   def add_gon_variables
author	Marin Jankovski <marin@gitlab.com>	2013-12-30 09:41:05 +0100
committer	Marin Jankovski <marin@gitlab.com>	2013-12-30 09:41:05 +0100
commit	94c96cd4458b89e3280fec8cc8ed42a69e063191 (patch)
tree	86a1b591298643343293c7a5b6761be2715058b4
parent	e2dbe0fad7f04826bde06ae9e8d16ca0bc8a2ce2 (diff)
download	gitlab-ce-94c96cd4458b89e3280fec8cc8ed42a69e063191.tar.gz