Skip to content

Commit de2e8c0

Browse files
stvestve
committed
add X-Download-Options documentation to README
1 parent f373969 commit de2e8c0

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ The gem will automatically apply several headers that are related to security.
66
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
77
- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
88
- X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
9+
- X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
910
- X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
1011

1112
This gem has integration with Rails, but works for any Ruby code. See the sinatra example section.
@@ -49,6 +50,7 @@ The following methods are going to be called, unless they are provided in a `ski
4950
* `:set_x_frame_options_header`
5051
* `:set_x_xss_protection_header`
5152
* `:set_x_content_type_options_header`
53+
* `:set_x_download_options_header`
5254
* `:set_x_permitted_cross_domain_policies_header`
5355

5456
### Bonus Features
@@ -67,6 +69,7 @@ This gem makes a few assumptions about how you will use some features. For exam
6769
config.x_frame_options = 'DENY'
6870
config.x_content_type_options = "nosniff"
6971
config.x_xss_protection = {:value => 1, :mode => 'block'}
72+
config.x_download_options = 'noopen'
7073
config.x_permitted_cross_domain_policies = 'none'
7174
config.csp = {
7275
:default_src => "https: self",
@@ -109,6 +112,7 @@ This configuration will likely work for most applications without modification.
109112
:x_frame_options => {:value => 'SAMEORIGIN'}
110113
:x_xss_protection => {:value => 1, :mode => 'block'} # set the :mode option to false to use "warning only" mode
111114
:x_content_type_options => {:value => 'nosniff'}
115+
:x_download_options => {:value => 'noopen'}
112116
:x_permitted_cross_domain_policies => {:value => 'none'}
113117
```
114118

@@ -339,6 +343,7 @@ require 'secure_headers'
339343
config.x_frame_options = 'DENY'
340344
config.x_content_type_options = "nosniff"
341345
config.x_xss_protection = {:value => 1, :mode => false}
346+
config.x_download_options = 'noopen'
342347
config.x_permitted_cross_domain_policies = 'none'
343348
config.csp = {
344349
:default_src => "https: inline eval",
@@ -395,6 +400,7 @@ def before_load
395400
config.x_frame_options = 'DENY'
396401
config.x_content_type_options = "nosniff"
397402
config.x_xss_protection = {:value => '1', :mode => false}
403+
config.x_download_options = 'noopen'
398404
config.x_permitted_cross_domain_policies = 'none'
399405
config.csp = {
400406
:default_src => "https: inline eval",

0 commit comments

Comments
 (0)