From: Tom Hughes <tom@compton.nu>
Date: Tue, 22 Feb 2022 19:12:09 +0000 (+0000)
Subject: Switch to rails 7 default headers
X-Git-Tag: live~1225
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/5b3edb8075f3093d239b18b3a6f1ffa710cac006

Switch to rails 7 default headers

These are basically all the same as what secure_headers
was already setting for us anyway.
---

diff --git a/config/initializers/new_framework_defaults_7_0.rb b/config/initializers/new_framework_defaults_7_0.rb
index 6196fd438..4e16b9d49 100644
--- a/config/initializers/new_framework_defaults_7_0.rb
+++ b/config/initializers/new_framework_defaults_7_0.rb
@@ -107,11 +107,11 @@ Rails.application.config.action_controller.wrap_parameters_by_default = true
 Rails.application.config.active_support.use_rfc4122_namespaced_uuids = true
 
 # Change the default headers to disable browsers' flawed legacy XSS protection.
-# Rails.application.config.action_dispatch.default_headers = {
-#   "X-Frame-Options" => "SAMEORIGIN",
-#   "X-XSS-Protection" => "0",
-#   "X-Content-Type-Options" => "nosniff",
-#   "X-Download-Options" => "noopen",
-#   "X-Permitted-Cross-Domain-Policies" => "none",
-#   "Referrer-Policy" => "strict-origin-when-cross-origin"
-# }
+Rails.application.config.action_dispatch.default_headers = {
+  "X-Frame-Options" => "SAMEORIGIN",
+  "X-XSS-Protection" => "0",
+  "X-Content-Type-Options" => "nosniff",
+  "X-Download-Options" => "noopen",
+  "X-Permitted-Cross-Domain-Policies" => "none",
+  "Referrer-Policy" => "strict-origin-when-cross-origin"
+}