diff options
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | app/controllers/application_controller.rb | 2 |
2 files changed, 3 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG index 01dbcc3c688..25f10c15f5f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,6 +8,7 @@ v 6.5.0 - Add project visibility icons to dashboard - Enable secure cookies if https used - Protect users/confirmation with rack_attack + - Default HTTP headers to protect against MIME-sniffing, force https if enabled v6.4.3 - Don't use unicorn worker killer if PhusionPassenger is defined diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 0e714dbfcdf..cf14cd9a1df 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -161,6 +161,8 @@ class ApplicationController < ActionController::Base headers['X-Frame-Options'] = 'DENY' headers['X-XSS-Protection'] = '1; mode=block' headers['X-UA-Compatible'] = 'IE=edge' + headers['X-Content-Type-Options'] = 'nosniff' + headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' if Gitlab.config.gitlab.https end def add_gon_variables |