Make cookies https-only if LOCAL_HTTPS is true, set X-Frame-Options to DENY,

add permissive CORS to API controllers
2016-11-02 12:57:14 +01:00
parent 0a6b5e2c17
commit 9467b900a2
3 changed files with 13 additions and 1 deletions
--- a/config/application.rb
+++ b/config/application.rb
@ -36,5 +36,9 @@ module Mastodon
    config.to_prepare do
      Doorkeeper::AuthorizationsController.layout 'auth'
    end
+
+    config.action_dispatch.default_headers = {
+      'X-Frame-Options' => 'DENY'
+    }
  end
 end