You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ The gem will automatically apply several headers that are related to security.
15
15
- X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
16
16
- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
17
17
18
-
It can also mark all http cookies with the secure attribute (when configured to do so).
18
+
It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
19
19
20
20
`secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
21
21
@@ -296,17 +296,19 @@ config.cookies = {
296
296
}
297
297
```
298
298
299
-
#### SameSite cookies
299
+
#### SameSite cookie configuration
300
300
301
301
SameSite cookies permit either `Strict` or `Lax` enforcement mode options.
302
302
303
303
```ruby
304
304
config.cookies = {
305
-
samesite:true# mark all cookies as SameSite (user agents default this to `Strict` enforcement mode)
305
+
samesite: {
306
+
strict:true# mark all cookies as SameSite=Strict
307
+
}
306
308
}
307
309
```
308
310
309
-
`Strict` and `Lax` enforcement can also be specified using a Hash.
311
+
`Strict` and `Lax` enforcement modes can also be specified using a Hash.
0 commit comments