Goes over headers like X-Frame-OPTIONS, Content Security Policy, HSTS, and more as well as a library that makes applying them to rails apps very simple
Case Strict-transport-security: max-age=10000000 Do all of your subdomains support SSL? Strict-transport-security: max-age=10000000; includeSubdomains (SSL FOR DUMMIES PICTURE)
the security model It is a complicated spec with great differences across browsers It is not widely adopted However, It completely eliminates reflected and stored XSS It ensures that you never load mixed content It can protect users with infected browsers It allows you to accept arbitrary html code from users
directive that doesn’t contain ‘unsafe-inline’ almost eliminates most forms of cross site scripting. I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT