Drop X-Download-Options from default headers

author Tom Hughes <tom@compton.nu>

Fri, 27 Oct 2023 16:26:25 +0000 (17:26 +0100)

committer Tom Hughes <tom@compton.nu>

Fri, 27 Oct 2023 16:26:25 +0000 (17:26 +0100)
author Tom Hughes <tom@compton.nu>
Fri, 27 Oct 2023 16:26:25 +0000 (17:26 +0100)
committer Tom Hughes <tom@compton.nu>
Fri, 27 Oct 2023 16:26:25 +0000 (17:26 +0100)
diff --git a/config/initializers/new_framework_defaults_7_1.rb b/config/initializers/new_framework_defaults_7_1.rb

index 700aefeda0b8d7d23a5ecdab8fb7770419742d43..56e99e6515723c5fc5ab00e297590363874c7ec6 100644 (file)
--- a/config/initializers/new_framework_defaults_7_1.rb
+++ b/config/initializers/new_framework_defaults_7_1.rb
@@ -17,13 +17,13 @@ Rails.application.config.add_autoload_paths_to_load_path = false
  
  # Remove the default X-Download-Options headers since it is used only by Internet Explorer.
  # If you need to support Internet Explorer, add back `"X-Download-Options" => "noopen"`.
-# Rails.application.config.action_dispatch.default_headers = {
-#   "X-Frame-Options" => "SAMEORIGIN",
-#   "X-XSS-Protection" => "0",
-#   "X-Content-Type-Options" => "nosniff",
-#   "X-Permitted-Cross-Domain-Policies" => "none",
-#   "Referrer-Policy" => "strict-origin-when-cross-origin"
-# }
+Rails.application.config.action_dispatch.default_headers = {
+  "X-Frame-Options" => "SAMEORIGIN",
+  "X-XSS-Protection" => "0",
+  "X-Content-Type-Options" => "nosniff",
+  "X-Permitted-Cross-Domain-Policies" => "none",
+  "Referrer-Policy" => "strict-origin-when-cross-origin"
+}
  
  # Do not treat an `ActionController::Parameters` instance
  # as equal to an equivalent `Hash` by default.
author	Tom Hughes <tom@compton.nu>
	Fri, 27 Oct 2023 16:26:25 +0000 (17:26 +0100)
committer	Tom Hughes <tom@compton.nu>
	Fri, 27 Oct 2023 16:26:25 +0000 (17:26 +0100)