• georg's avatar
    Add secure_headers gem and config · 357cb241
    georg authored
    Due to the upgrade to Rails 5, formerly working installations which
    served both HTTP (towards a Tor onion service) and HTTPS requests broke
    due to mixed HTTP / HTTPS Origin headers and improved request forgery
    A simple fix would be to enforce HTTPS within Rails. However, in a setup
    as described, this would break the onion service.
    Accordingly, this commit introduces a new gem, secure_headers, which
    allows to do more fine-grained control of the involved settings. It
    requires a reverse proxy like Apache or Nginx which sets
    X-Forwarded-Proto for HTTPS requests, to make the backend aware.
    This change is based on these docs:
    Ref #55
This project manages its dependencies using Bundler. Learn more