X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/3debff60ef50158c5439003ad4357d1f3dcc120b..8443e9a996efc1f36e852ee65695e37fc5446e7f:/config/initializers/secure_headers.rb diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index c97762a37..f09759fa6 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -26,8 +26,13 @@ csp_policy[:img_src] << Settings.storage_url if Settings.key?(:storage_url) csp_policy[:report_uri] << Settings.csp_report_url if Settings.key?(:csp_report_url) +cookie_policy = { + :httponly => { :only => ["_osm_session"] } +} + SecureHeaders::Configuration.default do |config| config.hsts = SecureHeaders::OPT_OUT + config.referrer_policy = "strict-origin-when-cross-origin" if Settings.csp_enforce config.csp = csp_policy @@ -39,4 +44,6 @@ SecureHeaders::Configuration.default do |config| config.csp = SecureHeaders::OPT_OUT config.csp_report_only = SecureHeaders::OPT_OUT end + + config.cookies = cookie_policy end