Adding X-Frame-Options to heroku rails 2.3.15 app

Question

I've found many answers on how to remove X-Frame-Options SAMEORIGIN, but I've been unable to find a correct answer for how to add it.

The app is on Heroku and is running under Rails 2.3.15 (nginx). I don't think it is a Sinatra app (I say this only because there is no config.ru. A friend built the app for me and he's unable to help out now, so I'm not positive.)

I tried adding the following to /app/controllers/application_controller.rb but it just made every page return a 503:

config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN' }

When that failed I tried this syntax instead, in the same file:

def set_x_frame_options
  response.headers["X-Frame-Options"] = "SAMEORIGIN"
end

That doesn't seem to break anything, but there are also no new http headers added.

As you may be able to tell, I barely know what I'm talking about here, so please feel free to talk to me like I'm a n00b in your answer. :-)

-=-=- edit -=-=-=-

Figured it out myself for adding http header for pages served from the app itself.

Added this to /app/controllers/application_controller.rb :

before_filter :default_headers

def default_headers
  headers['X-Frame-Options'] = 'SAMEORIGIN'
end

Still not sure how to add it to a few pages I have outsite the app, in /public/, so pointers welcome on that front.

Answer 1

Figured it out myself for adding http header for pages served from the app itself.

Added this to /app/controllers/application_controller.rb :

before_filter :default_headers

def default_headers
  headers['X-Frame-Options'] = 'SAMEORIGIN'
end

Still not sure how to add it to a few pages I have outsite the app, in /public/, so pointers welcome on that front.