Make cookies https-only if LOCAL_HTTPS is true, set X-Frame-Options to DENY,

add permissive CORS to API controllers
2016-11-02 12:57:14 +01:00
parent 0a6b5e2c17
commit 9467b900a2
3 changed files with 13 additions and 1 deletions
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.

-Rails.application.config.session_store :cookie_store, key: '_mastodon_session'
+Rails.application.config.session_store :cookie_store, key: '_mastodon_session', secure: (ENV['LOCAL_HTTPS'] == 'true')