README.md in secure_headers-2.0.0.pre2 vs README.md in secure_headers-2.0.0

- old
+ new

@@ -7,40 +7,14 @@ - X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx) - X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx) - X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx) - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html) -This gem has integration with Rails, but works for any Ruby code. See the sinatra example section. - -## Installation - -Add to your Gemfile - -```ruby -gem 'secure_headers' -``` - -And then execute: - -```console -$ bundle -``` - -Or install it yourself as: - -```console -$ gem install secure_headers -``` - ## Usage -Functionality provided +- `ensure_security_headers` in a controller will set security-related headers automatically based on the configuration below. -- `ensure_security_headers`: will set security-related headers automatically based on the configuration below. - -By default, it will set all of the headers listed in the options section below unless specified. - ### Disabling Use the standard `skip_before_filter :filter_name, options` mechanism. e.g. `skip_before_filter :set_csp_header, :only => :tinymce_page` The following methods are going to be called, unless they are provided in a `skip_before_filter` block. @@ -115,13 +89,9 @@ :x_download_options => {:value => 'noopen'} :x_permitted_cross_domain_policies => {:value => 'none'} ``` ### Content Security Policy (CSP) - -All browsers will receive the webkit csp header except Firefox, which gets its own header. -See [WebKit specification](http://www.w3.org/TR/CSP/) -and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specification) ```ruby :csp => { :enforce => false, # sets header to report-only, by default # default_src is required!