i trying set 'x-frame-options' header on responses returned rails application. seems header not set on 404 or 500 type responses. how can configure rails always include header?
it appears somehow need hook rails ensure these headers set.
i having success using below middleware 'exceptions_app'.
class xsecurityhandler def initialize(app) @app = app end def call(env) _status, headers, response = @app.call(env) headers['x-frame-options'] = "sameorigin" headers['x-content-type-options'] = "nosniff" [status(env), headers, response] end private def status(env) path = env["original_fullpath"] if path == "/404" 404 elsif path == "/422" 422 else 500 end end end 
Comments
Post a Comment