Make cookies https-only if LOCAL_HTTPS is true, set X-Frame-Options to DENY,

add permissive CORS to API controllers
2016-11-02 12:57:14 +01:00
parent 0a6b5e2c17
commit 9467b900a2
3 changed files with 13 additions and 1 deletions
--- a/config/application.rb
+++ b/config/application.rb
@ -36,5 +36,9 @@ module Mastodon
    config.to_prepare do
      Doorkeeper::AuthorizationsController.layout 'auth'
    end
+
+    config.action_dispatch.default_headers = {
+      'X-Frame-Options' => 'DENY'
+    }
  end
 end
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.

-Rails.application.config.session_store :cookie_store, key: '_mastodon_session'
+Rails.application.config.session_store :cookie_store, key: '_mastodon_session', secure: (ENV['LOCAL_HTTPS'] == 'true')