Commitd613ba9

authored

security: addX-Content-Type-Options: nosniff to block MIME-sniffing (#6344)

1 parentcae8b88 commitd613ba9Copy full SHA for d613ba9

File tree

+10

-0

lines changed

+10

-0

lines changed

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -319,6 +319,16 @@ func New(options Options) API {`
`319`	`319`	`next.ServeHTTP(w,r)`
`320`	`320`	`})`
`321`	`321`	`},`
	`322`	`+// This header stops a browser from trying to MIME-sniff the content type and`
	`323`	`+// forces it to stick with the declared content-type. This is the only valid`
	`324`	`+// value for this header.`
	`325`	`+// See: https://github.com/coder/security/issues/12`
	`326`	`+func(next http.Handler) http.Handler {`
	`327`	`+returnhttp.HandlerFunc(func(w http.ResponseWriter,r*http.Request) {`
	`328`	`+w.Header().Add("X-Content-Type-Options","nosniff")`
	`329`	`+next.ServeHTTP(w,r)`
	`330`	`+})`
	`331`	`+},`
`322`	`332`	`httpmw.CSRF(options.SecureAuthCookie),`
`323`	`333`	`)`
`324`	`334`

Comments

(0)