Skip to content

Commit d613ba9

Browse files
kylecarbskylecarbs
authored
security: add X-Content-Type-Options: nosniff to block MIME-sniffing (coder#6344)
coder/security#12
1 parent cae8b88 commit d613ba9

File tree

1 file changed

+10
-0
lines changed

1 file changed

+10
-0
lines changed

coderd/coderd.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -319,6 +319,16 @@ func New(options *Options) *API {
319319
next.ServeHTTP(w, r)
320320
})
321321
},
322+
// This header stops a browser from trying to MIME-sniff the content type and
323+
// forces it to stick with the declared content-type. This is the only valid
324+
// value for this header.
325+
// See: https://github.com/coder/security/issues/12
326+
func(next http.Handler) http.Handler {
327+
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
328+
w.Header().Add("X-Content-Type-Options", "nosniff")
329+
next.ServeHTTP(w, r)
330+
})
331+
},
322332
httpmw.CSRF(options.SecureAuthCookie),
323333
)
324334

0 commit comments

Comments
 (0)