update local modifications for cors and cp

author: beatrix-bitrot <beatrix.bitrot@gmail.com> 2017-05-14 20:56:30 +0000
committer: beatrix-bitrot <beatrix.bitrot@gmail.com> 2017-06-23 21:45:14 +0000
commit: 9bc593d6753922d995867b632477d4d3b9e86e20 (patch)
tree: 55bbe055b7831d06aa62080bf6ede001119db0d1 /config/environments
parent: 09f7ad361467d93c2f23aa0c18797f9451fa2dae (diff)
1 files changed, 7 insertions, 4 deletions
diff --git a/config/environments/production.rb b/config/environments/production.rb
index bd87d79a7..68229531d 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -93,9 +93,12 @@ Rails.application.configure do
   end
 
   config.action_dispatch.default_headers = {
-    'Server'                 => 'Mastodon',
-    'X-Frame-Options'        => 'DENY',
-    'X-Content-Type-Options' => 'nosniff',
-    'X-XSS-Protection'       => '1; mode=block',
+    'Server'                  => 'Mastodon',
+    'X-Frame-Options'         => 'DENY',
+    'X-Content-Type-Options'  => 'nosniff',
+    'X-XSS-Protection'        => '1; mode=block',
+    'Content-Security-Policy' => "frame-ancestors 'none'; object-src 'none'; script-src 'self' https://dev-static.glitch.social 'unsafe-inline'; base-uri 'none';" , 
+    'Referrer-Policy'         => 'no-referrer, strict-origin-when-cross-origin',
+    'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload'
   }
 end
author	beatrix-bitrot <beatrix.bitrot@gmail.com>	2017-05-14 20:56:30 +0000
committer	beatrix-bitrot <beatrix.bitrot@gmail.com>	2017-06-23 21:45:14 +0000
commit	9bc593d6753922d995867b632477d4d3b9e86e20 (patch)
tree	55bbe055b7831d06aa62080bf6ede001119db0d1 /config/environments
parent	09f7ad361467d93c2f23aa0c18797f9451fa2dae (diff)