Implement global security headers and CSP - Fix of #93PR #97
Open
sabdosh wants to merge 1 commit intothoth-tech:10.0.xfrom
Open
Implement global security headers and CSP - Fix of #93PR #97sabdosh wants to merge 1 commit intothoth-tech:10.0.xfrom
sabdosh wants to merge 1 commit intothoth-tech:10.0.xfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description-
This fix addresses missing HTTP security headers in Doubtfire API responses. Previously, API responses did not consistently include important browser-side protections such as Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The absence of these headers increased exposure to risks such as clickjacking, MIME sniffing, cross-site scripting (XSS), and unnecessary browser feature access.
Changes made
doubtfire-api/config/application.rb
Added global security headers using Rails default headers configuration so all API responses automatically include them:
This approach ensures headers are applied consistently across all controllers and API endpoints without modifying individual routes.
Fixes: Missing Security Headers issue
How Has This Been Tested?
The fix was verified locally using curl and Burp Suite against the Rails API running on localhost:3000.
Test 1 — curl header validation
Sent request to:
GET /api/units/1/all_resources
Confirmed response now includes:
Command used:
curl -I http://localhost:3000/api/units/1/all_resources
Test 2 — Burp Suite validation
Captured API response using Burp Suite Proxy.
Confirmed:
Security headers are present in all responses
Headers match expected secure configuration
No missing header issues observed
Impact
This fix strengthens the application’s security posture by enforcing standard HTTP security headers aligned with OWASP best practices, reducing exposure to common web-based attacks.
Checklist: